Abstract: An RSA-based signing scheme that combines essentially optimal efficiency with attractive security properties. One preferred signing routine requires one RSA decryption plus some hashing, verifications requires one RSA encryption plus some hashing, and the size of the signature preferably is the size of the modulus. Given an ideal underlying hash function, the scheme is not only provably secure, but has security tightly related to the security of RSA. An alternative embodiment maintains all of the above features and, in addition, provides message recovery. The techniques can be extended to provide schemes for Rabin-based signatures or signatures using other trapdoor functions.

Abstract: A cryptographic method implemented on an electronic communication network interconnecting a plurality of terminals represents funds in a way that is secure at the issuer and secure when funds move from payer to payee and back to the issuer. The cryptographic method mints, issues, pays and redeems funds when transactions are done over the network with the flow and transaction of funds being controlled by an issuer. The method implements electronic money acquisition, transfer of money between users in an unrestricted way and in a way where fraud is impossible cryptographically, and redemption of electronic money to correct real money bank accounts. Funds are handled so that their representation enables the issuer to treat the representation as a physical monetary instrument equivalent to notes or coins.

Abstract: Methods for designing encryption algorithms with different levels of security for different parties: "easier" (but requiring some work nonetheless) to break for some parties (e.g., the government) than for other parties (the adversaries at large). This is achieved by a new form of key escrow in which the government gets some information related to the secret keys of individuals but not the secret keys themselves. The information given to the government enables it to decrypt with a predetermined level of computational difficulty less than that for adversaries at large. The new key escrow methods are verifiable. Verification information can be provided to the government so that it can verify that the information escrowed is sufficient to enable it to decrypt with the predetermined level of computational difficulty. The fact that the government must perform some computation to break the encryption schemes of individual users provides a serious deterrent against massive wiretapping.

Abstract: A method and system for providing data authentication, within a data communication environment, in a manner which is simple, fast, and provably secure. A data message to be sent is partitioned into data blocks. Each data block is combined with a block index to create a word. A pseudo-random function is applied to each word to create a plurality of enciphered data strings. An identifying header, comprising the identity of the sender and a counter value, is also enciphered using a pseudo-random function. These enciphered data strings and header are logically combined to create a tag. As the enciphering of a particular word occurs independent of the other words, each block can be enciphered independently of the others. The method and system can thus be performed and structured in either a parallel or pipelined fashion. A receiving component or system generates a second tag which can then be compared with the transmitted tag to determine message authentication.

Abstract: A method for encrypting a plaintext string into ciphertext begins by cipher block chaining (CBC) the plaintext using a first key and a null initialization vector to generate a CBC message authentication code (MAC) whose length is equal to the block length. The plaintext string is then cipher block chained again, now using a second key and the CBC-MAC as the initialization vector, to generate an enciphered string. The CBC-MAC and a prefix of the enciphered string comprising all of the enciphered string except the last block are then combined to create the ciphertext. The described mode of operation is length-preserving, yet has the property that related plaintexts give rise to unrelated ciphertexts.

Abstract: A method and system for providing data authentication, within a data communication environment, in a manner which is simple, fast, and provably secure. A data message to be sent is partitioned into data blocks. Each data block is combined with a block index to create a word. A pseudo-random function is applied to each word to create a plurality of enciphered data strings. An identifying header, comprising the identity of the sender and a counter value, is also enciphered using a pseudo-random function. These enciphered data strings and header are logically combined to create a tag. As the enciphering of a particular word occurs independent of the other words, each block can be enciphered independently of the others. The method and system can thus be performed and structured in either a parallel or pipelined fashion. A receiving component or system generates a second tag which can then be compared with the transmitted tag to determine message authentication.