Fourth International Conference on Financial Cryptography (FC ’00)

Anguilla, British West Indies

February 21-24, 2000


By Jonathan Byron


The Fourth International Conference on Financial Cryptography was held in Anguilla from February 21 to February 24 under the sponsorship of the International Financial Cryptography Association. Attendance was up over previous years, with approximately 140 participants.


The Anguillan people were quite friendly and accommodating. Breakfast and lunch were served at the InterIsland Hotel; the food was plentiful and good. Courtesy transportation between the conference site and nearby hotels ran frequently. Internet links at the conference were improved compared to previous years; a wireless network system was available and the public terminals saw heavy use. Although most of Anguilla runs on ‘island time’ which is only peripherally connected to the clock,  the conference ran very close to schedule. With the exception of one day of extremely heavy rains and localized flooding, the weather was pleasant throughout.  Participants spent so much time in the conference and in informal discussions that sunburn was scarcely evident.


Evening events included an initial reception sponsored by Xcert at the Sonesta Hotel, a poolside party at the Sonesta on Monday evening sponsored by Hansa Bank and nCipher, the rump session on Tuesday evening sponsored by e-gold,  a Wednesday party at the Dunes featuring island food and the music of Banky Banks (sponsored by InterTrust and Telcordia), and the Villa Party part 2 sponsored by Zeroknowledge.


The Chandeliers Conference Room of the InterIsland Hotel was filled to capacity throughout the conference.  Organizers of FC indicated that next year’s conference would probably be held somewhere outside of Anguilla, as the conference had grown beyond the facilities available on the island.  Proposals were tended to hold the conference in the Cayman Islands, Ireland, and South Africa.  These proposals were discussed by the general membership but the final decision was deferred to the next IFCA board meeting. It was noted that the plan adopted prior to the first Financial Cryptography was to alternate between Anguilla and other locations.  Conference facilities are under construction in Anguilla that will be capable of accommodating foreseeable growth in the meeting; these should be available for the 2002 meeting.  


The tradition of starting the meeting with a speech from the Anguillan Minister of Finance was broken this year.  Anguilla recently experienced a governmental impasse, and several key people (including the finance minister) had resigned. New elections were scheduled for a few days after the FC Conference, and campaigning for the elections was in evidence across the island.


The first invited speaker was Pam Samuelson (Berkeley, USA), who suggested ways of moving “Towards a More Sensible Way of Regulating the Circumvention of Technical Protection Systems.”  Pam contrasted the perspective of the cryptography community with the view of the media, particularly Hollywood.  She noted that that decryption tools are commonly portrayed as ‘burglar tools’ and that framing the debate in terms of ‘breaking and entering’ favored those seeking to ban reverse engineering and cryptanalysis. She discussed Clinton administration’s policies on circumventing technical protection systems and the influence that Hollywood has had on these policies. The clash between Hollywood and the telecommunications industry was analyzed, and the fight to balance the interests of the internet service providers used up much of the political capital available for intellectual property rights. The World Intellectual Property Organization (WIPO) and its role in global lawmaking was examined.  Samuelson challenged a common response in the crypto community to oppose all regulation,  or hope that bad laws will be repealed.  Such an outcome is unlikely; a more rational response is to amend existing laws to so they are more tolerable to the crypto community.


The second invited speaker was Kevin McCurley (IBM, USA), whose session was titled  “In Search of the Killer App.”  After addressing the characteristics of a killer application, he admitted that he didn’t know what the next essential uninvented technology might be.  Instead, he presented several strategies for saving an existing killer app, email.  Given the low cost of sending unsolicited email and the large sums of money spent on direct marketing, McCurley predicted that the average individual will soon be receiving thousands of unwanted emails each day.  Such a large volume of spam would kill email.  Legislative solutions to spam were considered, but considered limited given the financial incentives to spam, the international nature of the internet, and the slow response of legislatures to a fast paced technology.  An alternative method of method of saving email might involve software that would allow delivery of email only if the email was accompanied by a bond or escrowed digital currency.  This bond would be redeemed only if the receiver felt the email was unsolicited or a waste of time.  Such a system would provide a strong financial incentive not to send undesired email.  This type of filtering software could include a permission file to allow email from known parties with out the need for bonds.


Papers and mini-abstracts:


Efficient Trace and Revoke Schemes. Methods were presented for discouraging users from leaking cryptographic keys, tracing keys that have been leaked, and to disabling keys that have been leaked. This scheme is based on secret sharing where revoked keys are broadcast and used as a secret share by valid users to obtain new keys. Moni Naor and Benny Pinkas (Weizmann Institute of Science, Israel)


Signing on a Postcard.  Efficient signing of short messages is discussed in relation to postal collection systems. Using a modified elliptic curve method, the authors propose a 26 byte signature with security comparable to a 40 byte DSA or 128 byte RSA signature.

David Naccache (Gemplus Card International) and Jacques Stern (Ecole Normale Superieure)


Efficient Watermark Detection and Collusion Security. The notion of efficiency is approached using the question “What resources does the watermark detector need to perform a trace?”  A modified version of the CKLS watermarking algorithm was presented that significantly reduces tracing time.  A relationship between the number of colluding adversaries and the amount of secret information required was established.  Francis Zane (Lucent Technologies)


Sharing Decryption in the Context of Voting or Lotteries. In many cryptosystems, knowledge of a single key can convey extreme power. A variety of systems have been developed to minimize the power of any one key by requiring that shared keys be used cooperatively.  This paper proposed a distributed implementation of the Paillier cryptosystem presented at Eurocrypt ’99.  Its application to elections and lottery pools was discussed.  Pierre-Alan Foque, Guillame Poupard and Jacques Stern (Ecole Normale Superieure, France)


Self-Escrowed Cash Against User Blackmailing. Blackmailing is an activity that might be enabled by of digital cash systems, as the blackmailer can avoid physical contact for the payoff and the digital currency lacks serial numbers or other traceable features. Some systems propose to limit blackmailing by establishing trusted parties with the ability to revoke anonymity, but such systems present problems of their own.  The scheme presented involves a passive trustee system in which the blackmailing party would reveal the required information to trace extorted coins without revealing any secrets. Birgit Pfitzmann and Ahmad-Reza Sadeghi (University of Saarland, Germany)


Blind, Auditable Membership Proofs.  Audibility is essential to establishing trust in many systems, including financial ones. A ‘blind auditable membership proof’ (BAMP) primitive was defined that allows for both anonymity and public auditability of the system. A method for efficiently implementing a BAMP that is resistant to blackmailing and bank robbery attacks was presented. Tomas Sander (InterTrust, USA), Ammon Ta-Shma (International Computer Science Institute, USA) and Moti Yung (CertCo, USA)


Private Selective Payment Protocols. Auctions, lotteries, and prize competitions are all transactions involving private selective payments. A protocol was presented that is based on two novel methods of oblivious transfer: ‘symmetrically-private conditional oblivious transfer’ and ‘selective oblivious transfer.’  Giovanni Di Crescenzo (Telecordia Technologies, USA)


Postal Revenue in the Digital Age.  This paper provided an overview of the conceptual foundations of existing digital postmark systems. The authors presented what they believe is an optimal solution for public-key postage evidencing using an elliptic curve system; compared to RSA, this method may provide a higher degree of security using smaller keys.  Leon A. Pintsov (Pitney Bowes, USA) and Scott A. Vanstone (University of Waterloo & Certicom, Canada)


Non-Repudiation in SET: Open Issues.  The SET protocol was developed to provide secure transactions between customers, merchants and banks. SET digital signatures do not provide enough evidence to prove certain transactions features, and is especially limited with respect to non-repudiation. SET is compared to the iKP protocol, which is better able to deal with issues of repudiation by providing explicit rules for deriving authorization.  Els Van Herreweghen (IBM Zurich, Switzerland)


Statistics and Secret Leakage.  Electrical current flows from circuits can function as an unlocked backdoor of crypto systems, allowing secrets to leak out to an attacker. This paper rigorously defines leakage immunity and provides several leakage tests. Failure of the tests confirms secret leakage, but successfully passing the tests does not guarantee that secrets are not being leaked.  Jean-Sebastian Coron (Ecole Normale Superieure, France), Paul Kocher (Cryptography Research, USA) and David Naccache (Gemplus Card International, France)


Analysis of Abuse-Free Contract Signing.  Optimistic contract signing protocols involve complexity that may lead to ambiguity and abuse. Using a finite-state verification tool, the Garay, Jakobsson and MacKenzie Protocol was analyzed.  An attack involving misconduct by the trusted third party was presented. A modification to the protocol was proposed to protect against this attack. The value of finite-state analysis to determine fairness guarantees, abuse, and corruption was discussed.  Vitaly Shmatikov and John C. Mitchell (Stanford University, USA)


Asymmetric Currency Rounding.  The rules for implementing the Euro currency prohibit charging fees for conversion and specify the rules for rounding conversions. Combined with computerized currency trading, this creates a potential for abuse where a very large number of conversions are made, each resulting in a small benefit from the rounding rules.  This weakness can be eliminated through an asymmetric system which eliminates prior knowledge of how any individual transaction will be rounded. 

David M’Raihi, David Naccache and Michael Tunstall (Gemplus Card International, France)


The Encryption Debate in Plaintext: National Security and Encryption in Israel and the United States.  Recent liberalization of US encryption export policy is compared to policy in Israel.  Although Israel is extremely security-conscious, its policies have long been less restrictive than those of the US.  Strict regulations may impose an economic cost greater than the security benefit, and internationalization may further accelerate deregulation. Barak Jolish (Hancock, Rothert and Bunshoft, USA)


Critical Comments on the European Directive on a Common Framework for Electronic Signatures and Certification Service Providers.  Electronic signatures and certificates are essential for e-commerce.  The European Directive is an attempt to standardize the legal systems of EC countries with respect to signatures and certificates.  The existing framework is seriously limited with respect to key issues such as certificate lifespan and revocation, and liability. Apollonia Martinez-Nada and J.L. Ferrer-Gomila (University of Balearic Islands, Spain)


A Response to “Can We Eliminate Certificate Revocation Lists?”  The use of certificate revocation lists (CRLs) to convey the state of certificates is an important issue in PKI management.  This paper responds to Rivest’s proposal that CRLs are impractical. An analysis of various scenarios indicates that CRLs are sometimes the most practical verification method. ‘Revocation on Demand’ was presented as an efficient CRL based method. Patrick McDaniel (University of Michigan, USA) and Avi Rubin (AT&T Labs, USA)


Self Scrambling Anonymizers.  The authors provide a new tool and a new business based on the provision of scalable anonymity. Such ‘anonymity providers’ would certify re-encrypted data regarding the authenticity of the data without knowing the content. The system is scalable as the user specifies the degree of anonymity desired, and is charged accordingly. David Pointcheval (Ecole Normale Superieure, France)


Authentic Attributes with Fine-Grained Anonymity Protection. This paper proposes a pseudonym registration scheme that permits Globally Unique Pseudonyms (GUPs). Such a system enables authentication of user attributes while preserving anonymity and is resistant to pseudonym profiling. The system allows for partial or complete revocation of multi-group certificates held by an individual.  Stuart G. Stubblebine (CertCo, USA) and Paul F. Syverson (Naval Research Labs, USA)


Resource Efficient Anonymous Group Identification.  The Homage system was presented as a way to anonymously verify that a person is a member of a group; not even the group that issues membership can determine the identify of the person. The computational intensity is not a function of the number of members.  The method is based on the assumption that the Diffie-Hellman decision problem is hard. Although the impossibility of forgery is not proved, it is suggested. Ben Handley (New Zealand)


Secret Key Authentication with Software-Only Verification. Two authentication protocols use a symmetric cipher applied asymmetrically; the result is a software based system that does not require storage of any secret information. The protocols are particularly suited to smart card applications.

Jaap-Henk Hoepman (University of Twente, Netherlands)


Financial Cryptography in 7 Layers.  A model was presented to conceptualize the discipline of financial cryptography. The proposed layers include 1) cryptography, 2) Software Engineering, 3) Rights, 4) Accounting,  5) Governance, 6) Value, and 7) Finance. The model allows for the delineation of areas of expertise and a common vocabulary for coordinating projects.  The model has a number of limitations, and is not a design methodology.  Ian Grigg (Systemics)


Capability-Based Financial Instruments.  The idea of ‘cryptographic capabilities’ is introduced as a method for standardizing design of e-commerce systems.  Cryptographic capabilities are compared to the object-oriented approach that allows high-level modular design.   Mark S. Miller (, Bill Franz and Chip Morningstar (, USA)


Panel Discussion I    Payment Systems: The Next Generation. Focus on business issues relating to second generation electronic payment systems.  Identification of markets, assessing technology, forecasting future trends.

Moderated by Moti Yung (CertCo, USA)

Shannon Byrne (Paradata, Canada)

Greg Napiorkowski (Mondex, International)

Max Levechin (Confinity, USA)

David Farago (Ecash, USA)

Charles Evans (e-gold, USA)


Panel Discussion II   Public Key Infrastructure: PKIX, Signed XML, or Something Else?

The 1999 IETF proposed standard for public key infrastructure has been criticized on a number of levels.  The proposed standards are somewhat ambiguous and do not prohibit application specific features. PKIX software from different sources interoperates on a basic level, but many functions are not fully interoperable. The 1999 document places an emphasis on certificates and has little to say on public/private key pairs. Extensible Markup Language (XML) offers an alternative for building a PKI that is flexible and more interoperable.

Moderated by Barb Fox and Brian LaMacchia (Microsoft)

Carl Ellison (Intel Architecture Labs)

Caelen King (Baltimore Technologies)

Patrick Richard (Xcert)

Ron Rivest (MIT LCS)


Vince Cate’s term as an IFCA Director expired and he declined to run for re-election. In the election to fill that spot, Barb Fox was elected.


Vince Cate gave a presentation immediately after the conference on the several strategies for improving Anguilla’s internet connectivity.  Various satellite, line of sight, and cable alternatives are under consideration. A number of Anguillan residents involved in FC  planned on approaching the new government with a plan to increase bandwidth and stimulate business following the March elections.


Corporate Sponsors of FC 2000 include: e-gold, InterTrust Star Lab, Hushmail, Telcordia Technologies, Zeroknowledge, Ncipher, Xcert, Global Commerce,

Offshore Information Services, and CertCo.