[This report is my attempt to synthesize reports from each contributor. It is not a collaboration between its authors. Thus, all deserve credit for their contributions, but none is necessarily responsible for specific statements. -Paul Syverson] The third annual Financial Cryptography Conference (FC 99) was held in Anguilla in the British West Indies from Monday February 22 through Thursday February 25, 1999. The conference was a rousing success, Attendance was up again with approximately 130 participants from business, academia, and government with interests in cryptology, computer security, and/or the financial industries. There were many new attendees from previously unrepresented venues. For example, Victor Dostov led a contingent from St. Petersburg, Russia to hear from others and to talk about their own PayCash system for anonymous transactions. They are backed financially by Tavrichesky Bank in St. Petersburg, and one can find more information adn a demo of their system at www.paycash.ru Once again, the conference took place in the increasingly cramped surroundings of the purpose-built conference facility at the InterIsland Hotel in Anguilla, BWI. Fortunately, the industrial dispute of American Airlines pilots apparently failed to disrupt the arrival of delegates from the United States. However, as is by now traditional, a certain amount of luggage remained sulking in San Juan, Puerto Rico even after its owners had been delivered. All parties did eventually seem to catch up with each other. As usual, the conference delegates were welcomed by the Anguillan Minister of Tourism. He reminded us that Anguilla's offshore tax haven status continues to be an incentive for the conference to be located there. Naturally, financial issues are thematic to the conference itself: sponsor and exhibitor e-Gold brought this home by distributing silver dollars to those who took time to learn more about their service (of which more later). One of the most popular technical themes was anonymous digital money protocols. The basic principles of these schemes, using blind signatures, have not changed significantly in recent times, but improvements were presented which recognised practical necessities. Firstly, that complete anonymity is e-cash schemes is undesirable, due to the possibility of undetectable blackmail or bank robbery, and the needs of the law enforcement agencies to trace money involved in criminal activity. Secondly, that detection of abuse such as double-spending of electronic coins needs to be practical. The conference was sponsored by: E-Gold, gold-backed electronic payment system, www.e-gold.com; Euro RSCG Interactive, web development and marketing, www.eurorscg.com; Hansa Bank, Anguilla offshore bank, www.hansa.net; nCipher, high speed hardware cryptographic accelerators, www.ncipher.com; Offshore Information Services, Anguilla server hosting, www.offshore.com.ai. The remainder of the description focuses on the technical program, consisting of presentations by cryptology and computer security researchers and practitioners. Highlights included the Tuesday "Crypto Predictions" invited talk by Adi Shamir, and the two panels on certificate status (Tuesday) and copyright issues (Wednesday). Speakers are [sometimes] identified by name and affiliation; an asterisk(*) identifies the presenter. As in 1998, the conference was opened by Victor Banks, the Anguillan Minister of Finance, who thanked us for coming and said we were very important to the island, both as an event and as the creators of the concepts on which much of Anguilla's success might be based. Banks spoke of Anguilla's favorable position to attract financial cryptography businesses, due to favorable tax situation, good weather, suitable regulation (including strict financial secrecy laws), and also proposed the idea of a "technology park" within which certain undesirable features of Anguilla, such as the telecommunications monopoly of Cable and Wireless, would be suspended. He apologized for being unable to stay, explaining that there was an election happening on March 4. Monday Morning (22 February) - Technical Program After the opening remarks, the first conference session, "Electronic Commerce", began. This session was chaired by Matt Franklin. The first paper was "Experimenting with Electronic Commerce on the PalmPilot" by Neil Daswani (*) and Dan Boneh (Stanford). Neil described an electronic payment system implemented in a PalmPilot. For these purposes, the PalmPilot is used like a smart card, but has no tamper resistance--so stored value schemes (like Mondex) are problematic. However, the device is implicitly trustworthy (and can interact with the user), so fraud by merchant terminals isn't an issue. The implementation is based on Rivest's PayWord scheme, adjusted to minimize storage and processing requirements; in particular, it uses RSA signatures in one direction (to the PalmPilot) and Elliptic Curve in the other, taking advantage of the superior performance of RSA verification and ECC signing. They had to contend with the Pilot's small memory, slow processor, and other limitations, and in the process benchmarked various cryptographic algorithms on the Pilot platform -- for instance, a 1024-bit RSA keypair generation would take approximately 20 minutes, also rapidly draining the device's batteries. Their design was driven by these limitations to use a hybrid ECC/RSA system, as certain operations in the RSA cryptosystem were substantially faster than in the ECC cryptosystem and vice versa. It also used a hash chain in order to minimize the number of public key operations required. The experimental application was to use a variant of the "Payword" scheme, called PDA-Payword, to purchase goods from a vending machine on the Stanford campus, using a docking system to interface with the pilot at point of sale. Their system only functioned with a single bank and single merchant. Some of the audience questions and suggestions seemed very productive -- online/offline precomputed signatures were suggested as a means of minimizing online computation on the limited Pilot platform, as well as schemes to use a desktop computer for high-speed calculation, downloading partially computed signatures to the Pilot for later use. "Blinding of Credit Card Numbers in the SET Protocol" Hugo Krawcsyk (Technion, IBM Research), presented by Gene Tsudik(*) (USC-ISI) This paper describes a mechanism for blinding customer identity in SET, necessary because customer identity is transmitted in the clear, in the customer's certificate (which is transmitted in the clear because of export considerations). The transaction itself (which is encrypted) carries the actual credit card number, which is matched against the customer ID using an HMAC-based construction that provides both secrecy and unforgeability. These properties are important because credit card numbers are relatively small (20 digits), so it should not be possible to guess valid numbers, or to validate guesses. This talk described in excruciating detail the design process which led to the selection of the SHA-1 HMAC construction as the credit card number blinding function in the SET protocol. SET requires the creation of a cardholder ID which is related to the cardholder's credit card number, but must protect the credit card number itself from evesdropping, as well as protection from exhaustive search of the (small) credit card number space. The function must also be collision resistant. However, linkability across transactions is acceptable. HMAC SHA-1 meets these requirements, and has been selected as the official SET blinding function. After a brief coffee break, the next session commenced -- "Anonymity Control", chaired by Yair Frankel. "Trustee Tokens - Simple and Practical Anonymous Digital Coin Tracing" Ari Juels(*) - RSA Laboratories Ari presented a simplified anonymous coin system, trading off features and trustee flexibility for simplicity of protocol. The scheme requires Alice to send a blank coin and blinding factor to a trustee, who validates the coin, and returns a signed trustee token, which is then used by the bank when issuing the actual coin. The scheme can be extended to prevent the trustee from spending coins, and to allow a single trustee interaction to validate many coins. It is based on Chaumian E-cash, but may be extensible to other schemes as well. Ari believes that the extensions to blinded electronic cash have compromised the initial simplicity and elegance of the design in their pursuit of various features, including tracing of coins. In this system, the user interacts with a trustee during coin withdrawal, providing the issuer of the coins with transcripts, or tokens, of interaction with the trustee which assure the issuer that the trustee can trace coins on demand. This system can be layered on top of many electronic cash schemes, and is relatively efficient. A great deal of efficiency can be realized by the user withdrawing large numbers of trustee tokens instead of going to the trustee before every transaction. In the questions following the presentation, the point was raised that if the user had large numbers of trustee tokens on the user's hard drive, they became an attractive target for theft if the user was forced to withdraw coins. Another audience member was concerned that the trustee could steal coins of the user, which is addressed by using a public key pair rather than the coin itself in the trustee token. Finally, questions of general trustee policy and the requirements to become a trustee were raised -- it is important that malicious users not be able to be their own trustees, but also important that honest users be given a wide enough selection of trustees to assure that the trustees do not collude to spuriously unblind users' coins. "A New Approach for Anonymity Control in Electronic Cash Systems" Tomas Sander(*), Amnon Ta-Shma, International Computer Science Institute, Berkeley This paper's goal is to be able to deter money laundering and related activities by limiting the amount of E-cash that any particular user can have, while still preserving the privacy of legitimate users. This paper is one of the first online electronic cash systems to take advantage of a fundamental observation -- of those activities requiring financial privacy, only those made by criminals involve large amounts of money -- honest users do not particularly want their few large transactions, such as buying real estate, to be highly confidential. Because traditional E-cash is transferrable, laundering is easy--but introducing a "non-transferrability secret" (NTS) that is valuable to the users, and required to effect transfers, motivates user not to engage in inappropriate behaviour. In their system, Sander and Ta-Shmra restrict users to a single account, a maximum monthly withdrawal of US$ 10 000, and incorporate a "non-transferability secret" to prevent a subset of the users from pooling funds for illegal purposes. The system provides guaranteed anonymity for transfers under $10k/month, without having to trust an external trustee, unlike most other "fair electronic cash systems". The scheme is based on Brands' E-cash, because it appears that blind signature schemes may be unable to be usable except by involving escrow agents. A questioner pointed out that laundering can always occur in small denominations spread over a large number of users, perhaps by automated software. Sander and Ta-Shmra concede that their system could be used for small time criminals, but raise the question of exactly how desirable it is to provide the authorities with highly detailed data on small transactions, even technically illegal ones, if the cost is privacy for average users. In the next session, Fraud Management, chaired by David Goldschlag, there was a last minute change of schedule. Yacov Yacobi's talk was delayed until Thursday and replaced by the following. "Dynamic Fault-Robust Cryptosystems for Enterprise Organizational Change Control" Yair Frankel(*) and Moti Young (CertCo) This paper explored handling organizational changes (such as changes in roles and duties, mergers and spinouts, etc.) that require reassignment of cryptographic keys and rules involving keys. "Views" are defined to represent each party's knowledge of the system state and inference rules for making deductions. Fault-tolerant cryptographic primitives, such as revocation, threshold schemes, can be used to accommodate changes. A very interesting question was raised after this presentation: how does one deal with root keys and the very top of the tree during major corporate events such as mergers? There seems to be no clear answer to this question, although there was some handwaving about involving the board of directors. "Assessment of Counterfeit Detection Systems for Smart Card Based E-Cash" K. Ezawa, G. Napiorkowski, M. Kossarski(*) (Mondex International) The authors describe a simulator for the Mondex environment, modeling the behaviour of system participants (consumers, merchants, issuers), as well as the monitoring systems, in the face of attacks. Ledger controls are used (and planned) in the system to detect introduction of counterfeit value, matching total float against transactions. The attack scenario involved 200 days of normal use, followed by 6 days of attack (1 test, 1 full attack, 1 monitoring, and 3 more full attack), and was successfully detected. This presentation was primarily about the Mondex system and Mondex's internal simulators. They have a system which allows Mondex to simulate the injection of counterfeit value into the system, then monitor its dispersion through the system, under various fraud detection mechanisms, to see how fast counterfeit value spreads diffuses through the system and is redeemed. Their model assumes payee cards cannot distinguish between counterfeit and real mondex cash, and takes advantage of the Mondex design feature whereby hardware-enforced value limits are possible on each device. They also have made the decision to maximize Mondex income, rather than making fraud impossible -- if it costs a huge amount of money to compromise a card, and the expected return is less, there are not concerned, calling this simple vandalism. A questioner asked what would be done in response to such an attack, which was answered, roughly, as "we've thought about it, we have rules and procedures, and we'll deal with it if it happens" A point raised in separate discussion after the presentation is that a widespread attack on the Mondex system may be successful, as if one can spend a large amount of money to come up with an efficient way to compromise cards, then compromise a large number of cards, it may be possible to make a net profit. Also, the question of compromising Mondex without compromising the smartcards themselves, by tampering with client software on the user's PC to divert payments covertly to the attacker, was not addressed in the Mondex fraud prevention model. Monday Afternoon (22 February) - Exhibitor Sessions "Governance in DigiGold" Ian Grigg (Systemics, E-Gold) In this exhibitor talk, Ian described the processes that are used by the gold-backed DigiGold banking system. There are three types: static governance, representing the "Ricardian Contract" (which is both human-readable and machine interpretable, and digitally signed) of the bank with its customers; dynamic governance, providing realtime, user-initiated auditing of the bank's operation, and structural governance, which deals with separation of duties, auditing, and limiting the trust placed in bank employees (and is required because cryptography alone cannot stop insider fraud). He presented his seven layer financial cryptography model, and specifically went into his layer five, governance, which is responsible for ensuring the underlying layers (cryptography, software engineering, electronic cash, and accounting) are operating to support the transport of value and the user-level application, and that the transport of value and user-level application are conducted within pre-defined rules. Ian introduced several security features of general applicability which are being implemented for the DigiGold.net system. The first technique is static defense, using cryptographically signed contracts which fully specify the behavior of various parties in the system. In the Ricardo system on which DigiGold.net is built end-users agree to contracts before using a particular currency, and a currency is identified by the cryptographic hash of the currency's own contract, ensuring that the contract cannot be changed without a user's knowledge and acceptance. The second technique is dynamic defense, using realtime auditing. Many auditors involved in electronic commerce have spoken of increased frequency of audits for electronic commerce businesses, and the Ricardo system allows the ultimate evolution of this -- any end user can perform a full audit on the entire system at any time. The final set of techniques is structural protection, including the very important separation of concerns. In the DigiGold system, a multiplicity of parties are involved in well defined roles to ensure that no single party can defraud the system. The e-gold system is used to hold the gold reserves, the server operator is responsible solely for technical operation of the DigiGold server, there is a day to day operations manager responsible for handling normal user transactions, a trusted third party who can generate new money but only send it to the manager, and the legal entity that is DigiGold has a board of direction responsible for ensuring various parts of the system operate correctly. Each of these roles can be subdivided to require multiple individuals, and external auditing can be added to each. An interesting observation was that DigiGold started out using the PGP web-of-trust signature model, then switched to X.509 as an "emerging standard", and now plans to switch back to the PGP model because it works so much more effectively. Questions covered dispute handling (some protection from protocols, maybe use personal hardware devices to limit scope of fraud), understanding the bank's contract (which experts will analyze, and render opinions), and the PGP/X.509 distinction. Locating and Managing Your Intellectual Property Offshore Lynwood Bell(*) (Span/Hansa Group, Hansa Bank) Lyn talked about how business enterprises can be structured to achieve tax advantages by holding assets in Anguilla, and illustrated with two examples: Murex, a pharmaceutical company, and the (unnamed) former owner of the domain name "bingo.com". Murex holds its patents in Anguilla, which means that infringement suits in other countries can only shut down local manufacturing operations, not the whole business, and also raises a significant barrier to suits in general--as well as making the company operate free of corporate taxes. The domain name company is more of a pure tax play: it was able to sell the "bingo.com" name at a huge profit, all untaxed because it was realized in Anguilla. Lyn characterized a few tests for offshore location: Can the valuable asset be moved? Can the work be subcontracted to another location (e.g., Anguilla company contracts to implementers in San Jose)? Can revenues reach the haven (sales good, royalty income bad, typically)? Is the plan defensible? (If the enterprise makes its initial invitation and business offer via an Anguilla-located server, and does acceptance and transfer of title there as well, it's strongly defensible, even if much other activity takes place elsewhere). Lyn Bell distinguished between tax treaty and full tax haven countries, differentiating between Anguilla (which is a tax haven) and Barbados (which is a tax treaty country, at least with Canada). The Span-Hansa group has affiliates in both locations, and Bell described situations in which it would be appropriate for a business to choose one location over the other. The presentation's most insistent point was that it is critical to move one's business offshore before it has real value, whenever possible. Bell presented the example of Microsoft, one of the most highly capitalized corporations in the world; for it to leave the United States would carry an impossible tax burden. He said that for many conference attendees, it should be possible to move intellectual property, such as a new electronic cash system, offshore immediately after it is developed, before it has any real value, and thus avoid taxes on it entirely. He described several potential pitfalls, including the taxes on royalties enforced by many nations. Since many pieces of intellectual property, including software, are licensed on a royalty basis, this is an especially relevant issue. Effectively, royalty streams are taxed by many nations even if the parent entity is offshore. Bell estimates that the Span-Hansa group has been responsible for billions of dollars in deals over the past 10 years. Hansa Bank, and Counsel Ltd (the corporate services affiliate), offered a special deal for conference attendees, establishment of an Anguillan corporation for half the normal price of $1100, or $550, to take advantage of the unique advantages of an Anguillan corporation. Monday's evening event was a cocktail party at the Mariner's hotel on Anguilla, one of the recommended hotels for the conference. After this cocktail party, some attendees went to a local French restaurant for continued discussion of financial cryptography. During that conversation, one of the main problems of internet electronic payment systems was discussed -- how to add value to the system quickly and conveniently for the average user, and how to allow those users to redeem value from the system. Among the diners were Bob Hettinga, founder of the Financial Cryptography conference series, and Paul Guthrie, VP for Research at VISA International. Hettinga suggested (and continued to maintain) that the ATM networks (e.g. Cirrus, Plus) were the best means of doing this, having the electronic cash mint act as a third party ATM, with electronic cash withdrawals and deposits being treated exactly like physical cash. Guthrie, who is familiar with the ATM networks since VISA owns one of them, argued that the ATM networks were unsuitable due to security requirements for PIN entry into only approved tamper-resistant modules, general unavailability of third-party bank deposits on the network as a whole, and other factors. I suggested the ACH network as a possibility, and some electronic cash vendors have taken preliminary steps to use this system, through membership in NACHA. Guthrie also suggested SET, as this would allow credit card transactions to be conducted security over the Internet (also offered by SSL) but would also eliminate chargeback risk for the electronic cash issuer. Additionally, the e-gold payment system was suggested as a repudiation-free source of funding for electronic cash systems, operating in ounces of gold, rather than traditional government currencies. Another interesting topic raised during the discussion was recent investigation by Shamir and Rivest which concludes the EFF's "Deep Crack" massively parallel machine, could be used as the "micromint hash engine" in Rivest's MicroMint micropayment system. This system requires a device capable of searching for a large number of n-way hash collisions, something Deep Crack is capable of doing. TUESDAY Tuesday's session opened with Adi Shamir's invited talk, "Crypto Predictions", chaired by Jacques Stern. "Crypto Predictions" Adi Shamir(*) (Weizmann Institute) Adi started off the Tuesday session with his "Three Laws of Commercial Security": (1) Crypto is bypassed, not broken: improving the crypto isn't very helpful, because it's already by far the strongest link in the chain; (2) There are no secure systems, only varying degrees of insecurity: don't bother adding bells and whistles because complexity is your worse enemy; and (3) To halve the insecurity, expect to double the cost: small early investments help a lot, so it's better to make the system convenient, transparent, and cheap--don't strive for the unreachable airtight goal. By these principles, there are many adequate security designs: paper money, postage stamps, mechanical locks, vending machines, access control, smart cards, and tickets. Some of these systems will be used for many years, regardless of technical advantages of replacement solutions, because they are "good enough": cost to attack is much greater than expected return. He illustrated the notion of "bypass" attacks with some examples: The first example breaks a "Provably correct implementation of unconditionally secure key exchange protocol using quantum cryptography" by sending light back down the optical fiber to read the polarizer angle directly (rather than anything to do with the single photons used in the protocol. That is, after the keys are set up, one taps the fiber and sends a strong pulse of light back through the fiber at the original transmitter, then reads the internal reflections from the transmitter itself to determine the earlier polarization configuration of system. Shamir says none of the systems under test today resist this simple attack. The second example fabricates a false "Tamper-proof photo-ID document" by submitting a "photograph" printed in two types of ink: one that fades over time, and one that becomes apparent over time (perhaps after being exposed to strong UV light). This would allow the photograph to be changed after the fact without tampering with the lamination at all. The third example allows cheating on multiple-choice exams by sending morse code through a mobile phone or pager's vibrating indicator--a signal not perceptible to the proctors. Shamir broke with some of the security community by advocating some measure of security through obscurity, at least for systems small enough to attract attention from an attacker themselves. He also advocates a diversity of underlying designs. He was primarily concerned that a flaw would be found in a widely deployed system, such that a "scripted" attack could be mounted on a large number of sites with little marginal cost, and also that deploying a single system widely raises the incentive for attackers to test it. Generally, those in the Internet security community have encouraged widely publishing their designs (unlike the intelligence, finance, and telecommunications industries), such that a maximum number of researchers can test it. Shamir's proposal is something of a departure from this, although his reasons are good. Adi's prediction for E-commerce is that it will continue to expand rapidly, generating both huge stock valuations and many business failures, and will use primarily SSL ("good enough"), not SET, anonymous cash, or other specialized schemes. He predicts that E-Cash (e.g., Mondex) will not be successful short-term as an alternative for cash in physical commerce, but may see success in closed systems such as enterprises, universities, and the military; a key is including E-Cash as part of a multi-application smart card. Micropayments over the Internet, on the other hand, he predicts will begin to be widely used (e.g., the MicroMint system) because they fill a real need, have no export controls, and can be implemented and integrated with today's technology. Adi expects that Smart Cards are headed for a major crisis, largely because of indirect attacks (fault analysis, timing analysis, power analysis, etc.). He described an extension to Kocher's power analysis (joint with Eli Biham) which detects the Hamming weight of individual bytes being written to memory and can therefore be used to solve a series of linear equations to deduce values when bits are related (as they are, for example, in DES key schedule generation). Shamir had an even more grave predition about security on the desktop computer. He said, "I think the PC architecture is basically doomed as a security device. If I were selecting security features for the world's worst security architecture, all of those features are present in the PC." The architecture is completely open, every file can be modified by any program, programs come from unknown sources, etc. The problem is getting worse, and is exacerbated by the overwhelming complexity of operating systems (35 million lines of code in Windows 2000?). The only secure solution seems to be a new class of simple, securable devices. He also recounted an interaction with the Israeli state security apparatus in which they revealed absolutely no investigations were seriously hampered by the use of encryption technology by suspects, due to other weaknesses in overall security, or simply quality investigative work. "PCs are the worst possible platform for secure computation, and the situation is getting worse." He also quoted RFC 602, demonstrating that the problem has been around since the days of the ARPAnet. However, he admitted that this analysis was only of the Microsoft Windows platform, not alternate operating systems for personal computers. He predicts a major relaxation of export controls over the next few years, but an unanticipated consequence of the Y2K bug: it will permit introduction of malicious code into many, many systems, allowing information warfare attacks on those systems months or years later, long after backups are decommissioned or useless. Finally, for cryptographic algorithms, he predicts that the AES process seems like it will yield ciphers "good enough" for any foreseeable application (even 50 years of Moore's Law won't help for 256-bit keys); that multivariate public key schemes will continue to prove unsuccessful; and that factoring-based schemes seem to be OK today, although it's been 10 years since a major factoring breakthrough, and another may come soon. In response to questions, Adi was skeptical about quantum computation ever being practical for real problems, and suggested that elliptic curve and factoring are about equally vulnerable--for especially strong security, one could use both. The next session, Public-Key Certificates, was chaired by Clifford Neuman. "Reasoning About Certification: On Bindings Between Entities and Public Keys" Reto Kohlas(*), Ueli Maurer (ETH) This paper addressed the need for a language and formal semantics to express the relationships between public keys and responsible entities. It's important to formalize the relationship, because simple statements (e.g., "the entity owns the public key", "the entity claims sole ownership of the public key") mean different things, and, worse, are inherently suspect. The important statement seems to be "the entity is liable for statements signed with the key", and the authors introduce the concept of Views (which may differ for different parties, such as the transaction participants versus judges) and inference rules for determining what statements are valid within a view. The model is incomplete: it needs to address attributes, authorization, timestamps, and revocation. A questioner observed that there is a superficial similarity to BAN logic; BAN deals with authentication, which is different from this logic. They presented several interesting statements: sole ownership of a key can generally not be verified or certified; ownership of a key alone is generally acceptable except for situations where the key is used to assume liability, in which case legally binding commitments are needed; and self-certificates imply ownership of the corresponding private key. "Online Certificate Status Checking in Financial Transactions: The Case For Reissuance" Barbara Fox, Brian LaMacchia(*) (Microsoft) The point of this paper is that the response to an online query ("is this certificate still valid?") is really just another certificate, likely with a limited validity period. These certificates are important for high-value transactions, because freshness is increasingly important as transaction value increases. Using certificates, rather than another specialized form of "validity response" also simplifies issuance of receipts (i.e., the certificate) and sale of transactions (because a chain of freshness certificates can be accumulated as the transaction passes from hand to hand). LaMacchia also presented reissuing certificates with short expiration periods rather than using OCSP as a way of minimizing complexity and redesign in existing code. Questioners asked about representing repudiation semantics, and whether it's a good idea to have the CA be making policy decisions about freshness, rather than the certificate user. Another question asked whether XML would be a more convenient representation than X.509; it would, but we have X.509 already. Panel: Certificate Revocation and Validation: One Year Later Mike Mayers (VeriSign) Ambarish Malpani (Valicert) Patrick RIchard (Xcert) Carl Ellison (Intel) The last technical session on Tuesday was a panel following up on the topic introduced at FC '98. There has been good progress: the Online Certificate Status Protocol has moved all the way to an IESG draft, but there are still semantic and technical issues: revocation is, at best, a mechanism for saying "not invalid". Alternative mechanisms (signed LDAP attributes, extended protocols for certificate acquisition, extensions to "delta CRLs") may become important. Legal issues are still unclear (trust model, liability transfer). Ambarish spoke about ValiCert's implementations, and stressed that Validation Authorities (VAs) are inherently different from Certificate Authorities (CAs): their processes are different, response requirements are different. etc. This distinction argues for using different mechanisms (perhaps several) for validation as opposed to issuance; it also provides a framework to charge for use of certificates, rather than issuance. Patrick talked about problems with real-world use of certificates and revocation; the problem is bounded within enterprise environments, and therefore amenable to technical solutions, but harder in the global Internet, which likely cannot be satisfied by a single ubiquitous approach. Internet transactions, in particular, need to determine credit validity--and don't care as much about name bindings. Carl characterized revocation as a performance problem, not a security problem: you choose your techniques based on your requirements. Classical "anti-matter certificates" are easy to understand, but inherently flawed; time-disjoint CRLs are more complex, but have a sound underlying mathematical model, and can be tuned to place the load where it's most appropriate, by adjusting CRL size, lifetime (in fact, using CRLs, it's not clear that an original certificate ever has to be signed). However, this isn't enough: even if there are separate CAs and VAs, it's not the case that they are the parties who can determine whether a certificate is valid for a particular transaction. The real issues are semantics of trust authorization and naming, not revocation. Floor questions included discussion of OCSP versus CRLs, and the tradeoffs between CRL issuance frequency and CRL size. Small, frequent, CRLs are like OCSP; large ones are more of a problem. OCSP can build in decision policies of the VA, rather than relying on the client to decide (but is this always good?), can make the important CA/VA distinction, and can support time synchronization. OCSP can also allow use of a low-assurance identity certificate, validated by a high-assurance VA. Other questions dealt with the proliferation of certificate issuers (e.g., every Windows PC, every PGP instance); this will be an issue, but it's important to distinguish between issuers (signing keys) and parties that accept liability. A final question asked whether there's really a need for fast revocation; in practice, it seems that there aren't many examples, and most of them (e.g., money center banks) already deal with the problem effectively and wouldn't rely on certificate revocation anyway. Alternatively, "If you're going to validate the certificate on every transaction with a trusted party, why bother issuing long-term certificates at all". After lunch, there were no commercial sessions. There was, however, a meeting of the International Financial Cryptography Association, which runs Financial Cryptography the conference. Ron Rivest did not run again, replaced by Adam Shostack, and Lucky Green was reelected. The board of IFCA thus consists of Bob Hettinga, Ray Hirschfeld, Vince Cate, Lucky Green, and Adam Shostack. The question of where to hold Financial Cryptography 00 was also preliminarily discussed, and evaluation forms were handed out. Tuesday's evening event was the conference rump session, chaired by Avi Rubin, replacing Matt Blaze [who was vacationing in New Jersey, rather than sweating it out in Anguilla with the rest of us.-P.S.] A special feature of this year's rump session was a prize offered by E-Gold: USD$350 equivalent in an e-gold account (effectively a little over 1 ounce of physical gold, since E-gold is 100% backed with gold and the price of gold was approximately $290 per troy oz). This prize was for the best rump session presentation, as decided by a panel appointed by Avi. [The most fun talk, which had the advantage of being a temporally distributed presentation, was Avi's movie guide for Crypto geeks. The titles are given here, but it loses alot without the movie posters. -P.S.] The top ten cryptography movies. These were: BreakDES at Tiffany's; 9 1/2 Weeks to Factor RSA; Saving Private Data; Good Will Hunting; The XOR Cyst; My Own Private Key; The China Remainder Syndrome; E T mod n; Feistel Attraction; and There's Something About m-ary arithmetic where m is the Product of Two Large Primes. [N.B. I caught some, but possibly not all, attribution mistakes in the Rump Session writeup -P.S.] Tomas Sander spoke on "Auditable Anonymous Electronic Cash", addressing the problem that the consumer has no recourse (in many E-cash schemes) if the issuer goes bankrupt, using a Merkle tree to establish an auditable correspondence between withdrawals and reserves. Stuart Stubblebine spoke on "Stack and Queue Integrity on Hostile Platforms", describing how to use hash functions and MACs to enable a trusted computer (such as a smart card) to manage large data structures in untrusted storage with O(1) overhead. Kazue Sako, who won the Rump Session award, spoke about a "Digital Lottery Server", an mechanism for using hash functions to make a fair, auditable, and random choice among several participants. She also introduced us to Hanako, Keiko, and Yuko, who are Alice and Bob's Japanese cousins. Specifically, she described a theoretical fair lottery system and implementation of a different lottery system, used in several cases already on the world wide web, originally inspired by a need to sell an event ticket on short notice. Paul Syverson spoke on "Establishing Title for Dynamic Objects", about the difficulty of defining ownership of objects whose title changes over time. He gave a very brief and highly self-referential presentation about dynamic object things and ownership, using the presentation itself as an example of an object which has changed ownership from one party to another. This puzzled the audience while they tried to figure it out. [This was basically a joke---masquerading as a real piece of research---about a bunch of people without a submission to FC constructing one so they could go to the conference. The joke was on me: more than one person came up to me afterwards wanting to know if they could get the paper -P.S.] Josh Jaffe then gave a much more serious presentation, with actual machine-printed slides. The talk was about using power analysis to reverse engineer smartcards, and it showed visuals of the kind of signals recovered from smartcards during the attacks. He also described the mathematical techniques used to recover meaningful data from the apparent mess. Paul Kocher talked about "How not to Fix Single-DES Protocols". He described how a response by banks to the demonstrated weakness in DES's short keyspace, using rapid keychange, can in fact lower security against certain kinds of attacks. He came up with a way of breaking DES in 2 hours on a fast PC given certain assumptions about key change rate. The naive solution of changing DES keys frequently actually makes systems with known plaintext easier to break by exploiting the time-memory tradeoff: 2^40 precomputations to create a table with 2^24 entries enable finding keys with 2^32 effort (at O(2^16) operations per test). Mark Miller described his "E" programming language -- a capabilities system built on the idea that pure objects are equivalent to pure capabilities. The system is the latest in a series of capabilities based adventures, and is proposed as an ideal environment for working on smart contracts, self enforcing documents which can be executed and evaluated by a machine, rather than a lawyer. Ueli Maurer described a result in "General Secure Multiparty Computation from Any Linear Secret Sharing Scheme", which involves a technique for performing the "multiply" operation (as well as "add") in linear schemes that is efficient and operates on any field. This included means of changing users in an existing group and other important administrative features. Rachel Willmer talked about "Smart Cards on the Internet". She asserted smartcards (not just Mondex but smart cashcards in general) will in the future prove good at providing an equivalent for cash on the Internet, sharing many of the same characteristics - low-value, immediate settlement, relatively private, two-way transactions - whereas credit and debit cards cannot do this. Also she noted that in the "real-world" trials, smartcards have proved good at replacing coins, e.g. in parking meters, laundromats -- but not proved as good in transactions already suitable for credit and debit cards. She also brought up the smartcard reader deployment problem, but said these are coming down in price, which should help solve the problem, although not necessarily in the US first. Ian Goldberg talked about the "ZeroKnowledge Anonymity Service", pointing out that "anonymous E-cash" isn't very anonymous when your IP address is being disclosed while making payments on the Web. The ZeroKnowledge product enables efficient IP-level anonymity services for arbitrary higher-level protocols. The system appeared to be a combination of mixmaster remailers, onion routers, crowds, and other systems, commercially packaged. Bryce Wilcox talked about "Using the Rivest and Shamir Interlock Protocol for Half Duplex Communications", describing a scheme based on contingent messages, in which each party anticipates the other party's potential responses, to send inherently one-way communication with the Interlock Protocol. Viktor Dostov spoke on the "PayCash System for Online Payments", addressing the problem that the bank must be trusted (because it can fake double-spending) in a traditional Chaumian E-cash system, using a structure called PayBooks. Adam Shostack spoke on "Towards Eliminating the Middleman in Money Laundering", describing a scheme involving apparently legitimate merchants to enable distribution of illegal goods without involving an explicit money launderer using cryptographic receipts from the store as token currency. Paul Lambert spoke on "An Efficient Public Key Language", a work in progress designed to make efficient public key certificates (especially elliptic curve) with simple semantics, small size (under 50 bytes, total), and no ASN.1. This had applications such as tiny certificates for 2-d barcode postage indicia, using very small signatures, and an application-specific increase in efficiency by eliminating verbose generic headers. Neil Daswani spoke about a cryptographic deletion system. Phil MacKenzie spoke on "Compromivacy", for compromise of privacy. The compromise of privacy is assumed to be potentially worthwhile in this system when a user interacts with a market research organization. This was a scheme for transactions involving personal information by selling the results of a buyer's queries against protected information, with zero-knowledge proofs of validity. Bryce Wilcox spoke on "Traditional PGP for Windows", using the current-day PGP Developer's Kit to build a command-line PGP interface compatible with PGP 5.0 keys and formats; it will be available open source. Paul Syverson announced the oncoming availability of "2nd Generation Onion Routing", which is going through the NRL review process now and is expected to be released as an open source distribution. Someone, who's name we lost gave a presentation describing a new electronic currency, the "negabuck", eliminating fraud and theft by declaring the currency to have negative value, such that no one would want to counterfeit or steal it. While this was intended to be humorous, there actually are practical applications for certain negative-value currencies, such as tax scrip. Marc Briceno gave a status report on the "DigiCash Acquisition Consortium" he has organized, which expects very soon to announce a flexible and opening Vince Cate spoke about "Weaknesses of the Verifone Terminal", observing that the protocols for communicating with a Verifone merchant terminal permit a user to act as an arbitrary merchant, request arbitrary refunds, and other weaknesses; apparently there is no crypto, no authentication, no real security in those interactions. The prize was awarded to Kazui Sako. The panel approved of the Japanese equivalents of Alice, Bob, etc. used in describing her system, and favored her actually-implemented system over some of the more theoretical presentations. Douglas Jackson of e-gold.com walked Sako through the account creation process in front of the audience and then transfered $350 in e-gold to her. The prize for best rump session presentation was in fact so popular that some with accepted papers in the formal sessions were considering withdrawing their own papers from the formal session to enter in the rump session in order to have a chance at the prize, proving that financial cryptographers are often motivated by financial considerations as much as purely academic ones. It would not be a surprise if such a prize were offered in the future. WEDNESDAY The first session on Wednesday, Steganography, was chaired by Yacov Yacobi. Nicko van Someren presented work with Adi Shamir detailing new means of efficiently searching large volumes of data for cryptographic data. They took advantage of several special features of cryptographic data (encrypted data as well as keys) -- the number theoretic properties of RSA keys, the locally-high entropy in symmetric keys and encrypted data, and simple high-speed tests, including visual pattern-recognition. They presented a "lunchtime attack" where one could successfully recover a hidden key from a user's hard drive while the user is away for lunch, as well as schemes to recover keys used in copy protection and license control from program binaries themselves. An important result of this is new reason for software publishers to not depend upon compiled-in keys in user-readable software for software licensing or security purposes. Previously, it seemed that hiding a key in the bulk of a large program might be enough defense, but the visuals shown in this presentation clearly identified regions of high-entropy key data in even a large program, and the analytical tests were even more powerful. The final talk in this session was presented by Markus Breitbach. It was work with Hideki Imai, "On channel capacity and modulation in watermarking of digital still images". The talk differentiated between reversible and irreversible image transformations, and singled out jamming attacks as a major potential problem to overcome, drawing parallels to military communications systems. A binary alphabet was shown to be the most efficient in terms of channel capacity. The next session was Content Distribution, chaired by Berry Schoenmakers. The presentation talk in this section was presented by Avisha Wool, work with Abdalla and Shavitt, "Towards making broadcast encryption practical". They described solutions for symmetric key encrypted broadcasts, such as satellite television, with minimal requirements for key storage, with the useful feature of being able to target a particular subset of a subscriber base for a particular broadcast. They made the fundamental observation that it is usually ok to allow some free riders to view a broadcast, as long the number of free riders can be bounded, and the chances of a given user viewing a broadcast without paying are acceptably low. They use a system which is a hierarchical tree of keys, with users belonging to multiple groups of increasing generality, such that when enough of a subtree is filled with users, the parent key is used instead. They did mathematical analyses of various group sizes, modifications to the basic scheme, and concluded that eliminating large groups and adding more partially-overlapping small groups would improve the average efficiency of the scheme. The last academic paper presented on Wednesday was David Goldschlag's "Conditional access concepts and principles", joint work with David Kravitz. He detailed the business case for divx-style access control on media, the security rationale for closed systems in conditional access control (such as the non-standard storage format of Divx discs), and the risk analysis that is undertaken before deploying such a system. Two kinds of video decryption technology, the external smartcard which returns keys used in satellite systems, and the all-in-one key/decrypt module used in Divx, were presented, and various strengths and weaknesses of each were explained. The main point in this presentation was in some ways parallel to the Mondex fraud-modeling presentation given earlier -- Conditional Access technology (often confusingly called "CA" technology, unrelated to Certificate Authorities) works best when the goal is to prevent economic benefit to the attacker, rather than making all attacks infeasible. According to Goldschlag, the legitimate content distributor has an advantage over pirates in distribution technology, so as long as the conditional access scheme is sufficient to prevent the pirate from leveraging the legitimate provider's infrastructure, requiring the pirate to get into the business of content distribution himself, it is successful. The point was raised later that compressed audio distribution (i.e. mp3) is already evolved to the point where legitimate providers have little competitive advantage over pirates, and others suggested that even video is not far from this point. In his presentation, Goldschlag said content redistribution is a major problem. Finally, Joan Feigenbaum chaired a panel, "Fair use, intellectual property, and the information economy", comprised of: Erin Sawyer (Cooley Godward LLP); Jon Amster (replacing Ed Fish); Dan Boneh (Stanford); Brian LaMacchia (Microsoft); David Goldschlag (DivX); and Jon Callas (Network Associates). The topics of copyright protection and the rights of consumer and producer were the focus of this lively panel discussion. The forthcoming US Digital Millenium Act attracted attention for its attempt to give legal status to content protection mechanisms. Concern was expressed that this would outlaw legitimate research into such things as smartcard security, and that providers may use technical means to enforce restrictions which the law could not. This led on to 'fair use' of copyright material, which is a right under UK law but not under US, and the possibilities that this may be denied in future. It was suggested that, in future, media would be licensed to the user rather than sold - some panel members expressed fears that this may be used to prevent analysis and criticism of the product and this was a denial of free speech. It was also suggested that consumers would be resistant to distribution arrangements which were more restrictive that those currently available, and that this would lead to growth in Internet sales outside of conventional channels. Specific presentations went as follows: Callas, who previously testified in Congress about the potentially chilling effect of anti-circumvention legislation on security research, described the compromise reached with the government by which one can safely undertake security research without the consent of the product's manufacturer -- one should ask the manufacturer for permission, but a response is not required (it is unclear how this is different from simple notification), and the results should be made available to the manufacturer. Goldschlag made a case for the "first sale doctrine" not applying to the DivX conditional access DVD system. He also cited the Japanese music market, where first sale does seem to apply, and redistribution is consequently rampant. CDs in the Japanese market cost approximately 80% more than in the US market as a result. Sawyer described the "Uniform Commercial Code 2b", a massive effort by the legal community to take into account current and future changes in the business environment. Sawyer disagrees with the effort's attempt to have the legal community anticipate commercial reality, instead suggesting that business should develop practices which should then be reviewed by the legal community and incorporated into the law after the fact. LaMacchia spoke about the fair use defense, the future potential for machine-interpretable and enforceable contracts (often called "smart contracts" and discussed in the capabilities community), and also emphasized that layering contract law, such as in conditional access systes, on top of copyright protections on the underlying media is a potentially bad idea. Boneh made the case that it might not be bad for business, just different, if copyright and access control are changed by new technology. Amster asserted that copyright and contract law must coexist, as copyright is required to ascribe value to information and make it property, and contract law can be used to restrict access to property. He also didn't feel fair use should become a codified right, as it is now a defense after the fact, and it might be acceptable now if even that fair use went away. When the question of technological enhancements allowing finer-grained access control came up, Sawyer said contract also provides finer-grained access control than copyright, and Goldschlag said that this control might actually improve things for consumers -- middlemen will now have the ability to individually price things for different kinds of consumers, in the way that videocassettes sold to rental firms sell for more than those sold to private individuals. Callas was afraid of copyright as a potential right to monopoly. LaMacchia was also concerned that the license terms under which users license content may prohibit later commentary by the user on that work, either legally or technically (by preventing cutting and pasting). Finally, the confrontation between technical ability and the legal system was brought up numerous times, from Bob Hettinga's assertion that in a world with strong cryptography and realtime auction markets, copyright is effectively unenforceable, to Paul Kocher's question of how the world can deal with countries with unusually favorable laws, such as Anguilla. Jon Callas described how he "signs" electronic software licenses -- verbally saying "I accept, with my modifications", and Sawyer said those who have technical capabilities to provide or limit access to content "should use it, and force changes in the legal system". One thing seems clear -- how technology will interact with the legal system's copyright and contract law is still an open question. After lunch, there were commercial exhibition sessions. First was "Key provisioning, protection and processing -- scaleable hardware crypto solutions", given by Alex van Someren of nCipher. nCipher's hardware uses both physical and logical means to protect keys during the distribution process, ensuring that hardware tamper-resistant key control is exercised at all times, while also providing means for backup of keys and replacement of failed hardware. The blue LED's on the front of nCipher accelerators do not play a major security role, but they are very attractive. Next was "Who the hell is EuroRSCG Interactive", given by Paul Dinnissen of EURO RSCG Interactive. The company, formed by the merger of a technical services firm and a Dutch marketing firm, was introduced. On Wednesday evening, a party was held by e-gold on Anguilla's "crypto hill", a local concentration of cryptographers. At the event, e-gold promoted their payment system, including offering to redeem the 1 oz silver american eagle coins it distributed earlier to every attendee for e-gold on the spot. However, most elected to keep the coins and those who opened their e-gold accounts usually used USD currency -- shiny metal triumphed over electrons, even in this crowd. During the party, various electronic cash systems were discussed, including the potential for issuing electronic currencies backed by commoditized services, rather than physical assets or government debt. The topic of how to add and remove money from an online system was again a popular topic, and the presence of a large number of physical precious metal coins reinforced the difficulty in converting such assets into online instruments in an efficient way. THURSDAY Thuesday's first session was Anonymity Mechanisms, chaired by Ari Juels. The first presentation, given by Stuart Schechter, was of research with Todd Parnell and Alex Hartemink, "Anonymous authentication of membership in dynamic groups". This introduced the concept of "verifiably common secret encoding", descibed how it would be useful to allow users to identify themselves to a publisher as a subscriber without revealing additional identity information, and then developed an implementation of the verifiably common secret encoding. This construction used a vector of separately encoded values, and thus is linear in the number of members in the group. They suggested various means for partitioning large groups, although this does sacrifice privacy. The main differences between this scheme and other schemes are that it allows addition and deletion of members, unlike group signature schemes, and it allows removal of users at any time, rather than during a forcible audit of the entire system, as is required by the blinded token based schemes. After the presentation, Syverson (the developer of the token based proposal for dynamic group membership authentication) asserted that the weaknesses cited in this presentation did not necessarily apply to a well-implemented token-based authentication system. Gene Tsudik next presented a review of the current state of group signatures in "Some open issues and new directions in group signatures", joint work with Giuseppe Ateniese. This paper described the current state of group signatures in academic literature and also proposed new applications, with the intent of getting group signatures adopted in some actual production system (until now, they've primarily been an academic curiosity). Interesting subtopics such as multi-group signatures and subgroup signatures were discussed in detail, including sample constructions based on the Camenisch and Stadler 97 scheme. After a brief coffee break, the next session began -- Auctions and Markets, chaired by Clifford Neuman. The first presentation was "Anonymous investing: Hiding the identities of stockholders", by MacKenzie and Sorensen. The system was based on certified anonymous public keys and trustee-revocable anonymity, and used an objected called an "eshare" to allow both revocably anonymous transfer as well as voting and divided collection, unlike simple electronic cash tokens. In order to allow taxation of dividends, they introduce the concept of dividend tax scrip, a kind of "negative currency" which flows in a direction opposite to value to assure tax compliance. They did mention the potential pitfalls of anonymous investing, including rampant insider trading, extortion, and money laundering. There system provided some protection in the form of tracing certain transactions after the fact, but in the questions after the presentations, it became clear that the threats are very hard to completely defeat. Additionally, during the question session a scheme was suggested to allow divided and voting without any changes to underlying cash systems, simply using reissue of a new token, much like a bond minus a coupon, after a vote or dividend. The next presentation was "Fair on-line auctions without special trusted parties", by Stubblebine and Syverson, presented by Paul Syverson. The presentation began with an interactive auction with the audience as bidders, demonstrating various attacks on an auction by a malicious auctioneer in collusion with a bidder. They described a system structured such that no rational participant, including the auctioneer, has incentive to cheat, and there is no requirement for special third parties to ensure this, although an external timestamping service/notary and external certified email delivery service are greatly beneficial. Their system does not require the use of a distributed threshold computation auctioneer, unlike most fair auction schemes, as they believe such a scheme can only effectively be used by large organizations, rather than individual small auctioneers. They focused on the English auction scheme, although they did introduce other kinds of auctions briefly in introduction. The system uses aggregated notarized bid histories and hash chains to minimize computational complexity in a fast-paced auction. Given recent interest in online auctions (using trusted auctioneer systems primarily) and investigations into fraud, the concept of cryptographically secure auctions is highly relevant. The next session was Distributed Crypto, chaired by Joan Feigenbaum. Due to earlier substitution, Yacov Yacobi's talk, "E-cash systems with randomized audit" occured at this time. In it, Yacobi developed a quantitative model of risk for both coin and balance based wallets when coins are checked on-line for validity with a probability from 0 to 1. Yacobi described a plane (audit rate vs. breaking cost) such that system designers could explore a soundness curve, defined by where breaking cost exceeds expected theft. Important results included dramatically higher security risks in balance wallets than coin wallets, given randomized audit and imperfect tamper-resistance, an optimial multi-spending of fraudulent coins being shown to be double spending a given coin. The final academic paper of Financial Cryptography 99 was presented by Joy Mueller, "Improved magic-ink signatures using hints", joint research with Markus Jakobsson. Despite two power failures during the talk (the state-owned electric utility on Anguilla went down, blacking out the whole island for over an hour, as is common) and failed attempts to run the overhead off an UPS, the presentation continued. In the presentation, two improvements to magic ink DSS signatures were proposed. Magic ink DSS signatures could be used for signing electronic cash, and have several useful properties over regular signatures. The improvements presented in this session were intended to dramatically reduce the cost of tracing, as well as to introduce a method for detecting the presence of forged currency in the system. An interesting technique used to avoid secret sharing and multiparty computation was to perform operations on encrypted data. During the presentation, Mueller presented a chart of various signature schemes used for electronic cash, and it was apparent that only the magic ink signatures using hints provided protection from certain attacks on the mint itself. Finally, there was another commercial exhibition session. The first presentation was by Sutcliffe Hodge, acting manager of Cable and Wireless Anguilla, on the "Evolution of Internet services in Anguilla". In this presentation, he expressed the willingness of Cable and Wireless to work with business that wanted to set up operations on Anguilla. He refused to mention price, which is approximately US$ 30k/month for a t1 circuit or over US$2/minute for voice calls, but did mention an example of someone who wanted multiple t3 service for an Internet business on Anguilla who they talked down to t1 service (and eventually went to Canada instead). This was a particularly interesting presentation since many have throughout the conference expressed desire to move to Anguilla and set up companies, if only the telecommunications situation were improved, and Victor Banks, in his opening remarks, alluded to dissatisfaction with the telecommunications situation on Anguilla. This presentation was similar to last year's talk by David Chaum, widely considered to have held up progress in electronic cash by refusing to license core patents on blinding technology which have only relatively recently been circumvented, in that the audience was rather "vocal" in expressing opinions. During the presentation, Hodge suggested that Cable and Wireless did not in fact have a monopoly on Anguilla, since instead of making phone calls, one could instead choose to spend the money on ice cream or other entertainment. He then said "and I eat a lot of ice cream", with a clear implication as to the cost of telecommunications services on Anguilla. When again asked by an audience member why Cable and Wireless has a legal monopoly, Hodge brought in the large sunk cost of the phone switch on Anguilla, with capacity for 20 000 on an island of 10 000, and said that if another company entered the market, they would both lose money. He had no answer when someone suggested this natural monopoly could then stand on its own without government monopoly. The next presentation was about ACORN. ACORN is Anguilla's Commercial Online Registration Network, and it was presented by John Lawrence, of Anguilla's Financial Services Department. It is a system to allow registered corporate agents, of which there are 19 on Anguilla, to enter corporate registrations from anywhere in the world. This would allow US businesses to serve as Anguillan corporate registries, increasing the attractiveness of Anguillan corporations to foreigners. A particularly interesting and tangential point raised during the ACORN presentation is the state of digital signature law on Anguilla. Since they are accepted in working with the corporate registry, it is possible that they would be considered valid signatures on other documents as well, potentially between private parties on Anguilla. This would make Anguilla even more attractive for financial cryptography companies. The final presentation was of SAXAS, the Secure Account Exchange Arbitration System, developed by Secure Accounts, Ltd. on Anguilla. It was presented by Vince Cate, including a demonstration of working software. The system consists of a Java application which keeps track of three components of a contract -- the holder, the owner, and the backer, which are roughly equivalent to a clearing agent, the end-user, and the underwriter in traditional electronic cash protocols. The SAXAS system is an accounting engine, operating without blinding of any kind and thus not covered by patents, which uses secure digital signatures to transfer arbitrary instruments among parties located across the network (i.e. peer to peer transfers). The system also includes a gateway interface to link to external payment systems, a means to create online markets in various currencies, and non-repudiation of transactions. Financial Cryptography 99 concluded, leaving Anguilla for at least another year. Several Financial Cryptography companies have set up operations on Anguilla as a result of things learned during the conferences, including Secure Accounts, c2 networks, InterTrust, and others.