Ahto Buldas

• Tallinn University of Technology

Scalable and secure implementation of central bank digital currencies (CBDC) has been a challenge. Blockchains provide high operator-independent security and enable central banks to outsource CBDC operations while retaining control over the amount of circulating money. Scalability of blockchain depends on the possibility of decomposing the blockcha...

p>The Web3 vision takes blockchain disintermediation to a next level by making it ubiquitous, encompassing not only payments and financial services but also digital identities, data and business models. Recently, Web3 has gained massive attention by major analysts such as Gartner, Forrester, Forbes Technology Council and the Harvard Business Review...

p>The Web3 vision takes blockchain disintermediation to a next level by making it ubiquitous, encompassing not only payments and financial services but also digital identities, data and business models. Recently, Web3 has gained massive attention by major analysts such as Gartner, Forrester, Forbes Technology Council and the Harvard Business Review...

Our aim is to understand technological and socio-economic barriers to blockchain solutions that are intrinsic in the blockchain technology stack itself (permissionless as well as permissioned). On the basis of that, we want to understand the future potentioal impact of blockchain technology. We provide an argumentation against the theoretical backg...

The Web3 vision takes blockchain disintermediation to a next level by making it ubiquitous, encompassing not only payments and financial services but also digital identities, data and business models. Recently, Web3 has gained massive attention by major analysts such as Gartner, Forrester, Forbes Technology Council and the Harvard Business Review....

During the last years, central banks have discussed possible use of central bank digital currencies (CBDC) – electronic cash. Besides the financial and economic factors also the security and scalability of technical implementation of CBDC have been studied. Blockchain technology provides high level of security independent of the technical infrastru...

The Web3 vision takes blockchain disintermediation to a next level by making it ubiquitous, encompassing not only payments and financial services but also digital identities, data and business models. Recently, Web3 has gained massive attention by major analysts such as Gartner, Forrester, Forbes Technology Council and the Harvard Business Review....

During the last years, central banks have discussed possible use of central bank digital currencies (CBDC)-electronic cash. Besides the financial and economic factors also the security and scalability of technical implementation of CBDC have been studied. Blockchain technology provides high level of security independent of the technical infrastruct...

We present a general theory of payment systems that is capable of describing both traditional and electronic forms of payment. Starting from the three basic functions of money and general non-functional requirements, we derive the necessary and sufficient properties of technical implementations of money and payments. We describe possible scalable i...

p>Since its introduction with Bitcoin in 2009, blockchain technology has received tremendous attention by academia, industry, politics and media alike, in particular, through extended blockchain-based visions such as smart contracts, decentralized finance, and, most recently, Web3. The critical prerequisite for any such blockchain-based vision to b...

p>Since its introduction with Bitcoin in 2009, blockchain technology has received tremendous attention by academia, industry, politics and media alike, in particular, through extended blockchain-based visions such as smart contracts, decentralized finance, and, most recently, Web3. The critical prerequisite for any such blockchain-based vision to b...

In this paper, we explain the Alphabill family of technologies that addresses both unlimited scalability and unrestricted adaptivity. We deliver a sharded blockchain technology with unlimited scalability, called KSI Cash, which is based on a new form of electronic money scheme, the bill scheme. We present performance tests of KSI Cash that we have...

We present a general theory of payment systems that is capable of describing both traditional and electronic forms of payment. Starting from the three basic functions of money and general non-functional requirements, we derive the necessary and sufficient properties of technical implementations of money and payments. We describe possible scalable i...

We present a general theory of payment systems that is capable of describing both traditional and electronic forms of payment. Starting from the three basic functions of money and general non-functional requirements, we derive the necessary and sufficient properties of technical implementations of money and payments. We describe possible scalable i...

We present a general theory of payment systems that is capable of describing both traditional and electronic forms of payment. Starting from the three basic functions of money and general non-functional requirements, we derive the necessary and sufficient properties of technical implementations of money and payments. We describe possible scalable i...

Since the introduction of Bitcoin in 2009 and its immense resonance in media, we have seen a plethora of envisioned blockchain solutions. Usually, such blockchain solutions claim to be disruptive. Often, such disruptiveness takes the form of a proclaimed blockchain revolution. In this paper, we want to look at blockchain technology from a neutral,...

Since the introduction of Bitcoin in 2009 and its immense resonance in media, we have seen a plethora of envisioned blockchain solutions. Usually, such blockchain solutions claim to be disruptive. Often, such disruptiveness takes the form of a proclaimed blockchain revolution. In this paper, we want to look at blockchain technology from a neutral,...

Attack trees are considered a useful tool for security modelling because they support qualitative as well as quantitative analysis. The quantitative approach is based on values associated to each node in the tree, expressing, for instance, the minimal cost or probability of an attack. Current quantitative methods for attack trees allow the analyst...

A new hash-based, server-supported digital signature scheme was proposed recently in [7]. We decompose the concept into forward-resistant tags and a generic cryptographic time-stamping service. Based on the decomposition, we propose more tag constructions which allow efficient digital signature schemes with interesting properties to be built. In pa...

Attack trees are considered a useful tool for security modelling because they support qualitative as well as quantitative analysis. The quantitative approach is based on values associated to each node in the tree, expressing, for instance, the minimal cost or probability of an attack. Current quantitative methods for attack trees allow the analyst...

We present a practical digital signature scheme built from a cryptographic hash function and a hash-then-publish digital time-stamping scheme. We also provide a simple proof of existential unforgeability against adaptive chosen-message attack (EUF-ACM) in the random oracle (RO) model.

The lifetime of commonly used digital signature schemes is limited because their security is based on computational assumptions that potentially break in the future. In 1993, Bayer et al. suggested that the lifetime of a digital signature can be prolonged by time-stamping the signature together with the signed document. Based on this idea, various...

We propose a new method for shared RSA signing between the user and the server so that: (a) the server alone is unable to create valid signatures; (b) having the client’s share, it is not possible to create a signature without the server; (c) the server detects cloned client’s shares and blocks the service; (d) having the password-encrypted client’...

We introduce infeasibility certificates, compact and easily verifiable proofs that no profitable attacks exist in the considered system model. We introduce computational methods for generation and validation of such proofs using an enhanced weight reduction technique. A new method for obtaining adversarial expenses by approximating an interval with...

Cryptographic commitments are either unconditionally hiding or unconditionally binding, but cannot be both. As a consequence, the security of commonly used commitment schemes is threatened in the long-term, when adversaries become computationally much more powerful. We improve over this situation by putting forward a new notion of commitment scheme...

During the last decades, we have witnessed an explosive growth of computer-technology and the Internet. Due to the growing role of computers and Internet in important business and state-related activities, investments to computer security and the security industry have also been growing fast. In spite of that, we also see the growing trend of cyber...

Multi-tenancy in the cloud environment brings new challenges to data security including but not limited to trust, data and system integrity and the overhead of cryptographic key management. These challenges can be efficiently addressed using novel data signing schemes. We compare personal digital signature solutions provided by public key infrastru...

We present the results of research of limiting adversarial budget in attack games, and, in particular, in the failure-free attack tree models presented by Buldas-Stepanenko in 2012 and improved in 2013 by Buldas and Lenin. In the previously presented models attacker’s budget was assumed to be unlimited. It is natural to assume that the adversarial...

A method of generating a keyless digital multi-signature is provided. The method includes receiving multiple signature generation requests from one or more client computers, building subtrees based on the signature generation requests, and constructing a search tree including the subtrees. The method also includes assigning explicit length tags to...

We present a new tighter security proof for unbounded hash tree keyless signature (time-stamping) schemes that use Merkle-Damgård (MD) hash functions with Preimage Aware (PrA) compression functions. It is known that the PrA assumption alone is insufficient for proving the security of unbounded hash tree schemes against back-dating attacks. We show...

We propose a log signing scheme that enables (a) verification of the integrity of the whole log, and (b) presentation of any record, along with a compact proof that the record has not been altered since the log was signed, without leaking any information about the contents of other records in the log. We give a formal security proof of the scheme,...

We present a new fully adaptive computational model for attack trees that allows attackers to repeat atomic attacks if they fail and to play on if they are caught and have to pay penalties. The new model allows safer conclusions about the security of real-life systems and is somewhat (computationally) easier to analyze. We show that in the new mode...

In Estonia, the X-Road infrastructure for unified governmental database access has been in use for more than 10 years. The number of queries mediated over the X-Road has exceeded 240 million per year. Even though all the queries and replies are signed by using the X-Road's own PKI facilities, the resulting signatures are not fully qualified in the...

Keyless Signatures Infrastructure (KSI) is a globally distributed system for providing time-stamping and server-supported digital signature services. Global per-second hash trees are created and their root hash values published. We discuss some service quality issues that arise in practical implementation of the service and present solutions for av...

The need for combining various heterogeneous data sources into a uniformly accessible infrastructure has given rise to the development of federated database systems. Security aspects of such systems have been well-studied, but they have mostly concentrated on privacy and access control issues. In this paper, we take a closer look at the availabilit...

The known security proofs for hash tree time-stamping assume collision-resistance (CR). An asymptotically optimally tight proof has the security loss formula t ' δ ' ≈14Ct δ 1·5 , where t ' δ ' is the time-success ratio of a collision-finder, t δ is the ratio of a back-dating adversary and C is the size of the hash tree created in every time unit....

Oracle separation methods are used in cryptography to rule out black-box reductions between cryptographic primitives. It is sufficient to find an oracle relative to which the base primitive exists but there are no secure instances of the constructed primitive. It is often beyond our current reach to construct a fixed oracle with such properties bec...

Attack trees model the decision making process of an adversary who plans to attack a certain system. Attack-trees help to visualize possible attacks as Boolean combinations of atomic attacks and to compute attack-related parameters such as cost, success probability and likelihood. The known methods of estimating adversarie’s utility are of high com...

We study the security of hash-then-publish time-stamping schemes and concentrate on the tightness of security reductions from the collision-resistance of the underlying hash functions. While the previous security reductions create a quadratic loss in the security in terms of time-success ratio of the adversary being protected against, this paper ac...

Oracle separation methods are used in cryptography to rule out black-box reductions between cryptographic primitives. It is sufficient to find an oracle relative to which the base primitive exists but there are no secure instances of the constructed primitive. In practice, it is beyond our current reach to construct a fixed oracle with such propert...

We establish a framework for bounding the efficiency of cryptographic reductions in terms of their security transfer. While efficiency bounds for the reductions have been studied for about ten years, the main focus has been the efficiency of the construction mostly measured by the number of calls to the basic primitive by the constructed primitive....

Let D be a public on-line database that is maintained by a party who is possibly not completely trustworthy. We study cryptographic techniques preventing the party (1) from undetectably modifying the content of D, and (2) from giving contradictory answers to the same query q, after a relatively short cryptographic digest d of D is made public. Prev...

It has been known for quite some time that collision-resistance of hash functions does not seem to give any actual security guarantees for unbounded hash-tree time-stamping, where the size of the hash-tree created by the time-stamping service is not explicitly restricted. We focus on the possibility of showing that there exist no black-box reductio...

We prove that there are no black-box reductions from Collision-Free Hash Functions to secure time-stamping schemes, which means that in principle secure time-stamping schemes may exist even if there exist no collision-resistant hash functions. We show that there is an oracle relative to which there exist secure time-stamping schemes but no hash fun...

We adapt game theoretic methods for studying the security of two e-voting systems: the Estonian E-Voting System (EstEVS) and Secure Electronic Registration and Voting Experiment (SERVE) performed in the United States of America. While these two systems are quite similar from technical side, security experts have made totally different decisions abo...

We prove in a non-black-box way that every bounded list and set commitment scheme is knowledge-binding. This is a new and rather strong security condition, which makes the security definitions for time-stamping much more natural compared to the previous definitions, which assume unpredictability of adversaries. As a direct consequence, list and set...

We prove in a non-black-box way that every bounded list and set com- mitment scheme is knowledge-binding. This is a new and rather strong security condition, which makes the security definitions for time-st amping much more natural compared to the previous definitions, which assume unpredictability of adversaries. As a direct consequence, list and...

We present a simple risk-analysis based method for studying the security of institutions against rational (gain-oriented) attacks. Our method uses a certain refined form of attack-trees that are used to estimate the cost and the success probability of attacks. We use elementary game theory to decide whether the system under protection is a realisti...

We study the influence of collision-finding attacks on the sec urity of time-stamping schemes. We distinguish between client-side hash functions used to shorten the documents before sending them to time-stamping servers and server-side hash functionsused for establishing one way causal relations between time stamps. We derive necessary and sufficie...

We present a universally composable time-stamping scheme based on universal one-way hash func- tions. The model we use contains an ideal auditing functionality (implementable in the Common Reference String model), the task of which is to check that the rounds' d igests are correctly computed. Our scheme uses hash-trees and is just a slight modifica...

It is almost a folklore-knowledge that hash-based time-stam- ping schemes are secure if the underlying hash function is collision- resistant but still no rigorous proofs have been published. We try to establish such proof and conclude that the existing security conditions are improper because they ignore precomputations by adversaries. After analyz...

We propose an efficient and flexible system for a secure and authentic data exchange in a multiinstitutional environment, where the institutions maintain different databases and provide secure and limited access services to employees of other institutions. The main motivation for building such a system was to organize efficient cooperative use of s...

We propose a simple server-based electronic signature system in which a small number of common private keys are used. The motivation of such a system is to escape the scalability and complexity problems that arise if a large-scale Public Key Infrastructure (PKI) is used. We argue that the assumption of personal private keys is the main reason for t...

Let D be a public on-line database that is maintained by a party who is possibly not completely trustworthy. We study cryptographic techniques preventing the party (1) from undetectably modifying the content of D, and (2) from giving contradictory answers to the same query q, after a relatively short cryptographic digest d of D is made public. Prev...

Ecient secure time-stamping schemes employ a 2-level approach in which the time-stamping service operates in rounds. We say that a time-stamping service is accountable if if it makes the TSA and other authorities accountable for their actions by enabling a principal to detect and later prove to a judge any frauds, including attempts to reorder time...

We introduce a new type of authenticated search trees, an alternative to Certificate Revocations Lists that enables one to reduce the scope of trusted operations performed by Certificate Authorities. Our construction is similar to the authenticated data structures proposed by Naor and Nissim [NN98] but, as we show, it fulfills some stronger securit...

This paper presents a method to increase the accountability of certificate management by making it intractable for the certification authority (CA) to create contradictory statements about the validity of a certificate. The core of the method is a new primitive, emphundeniable attester, that allows someone to commit to some set $S$ of bitstrings by...

Abstract We discuss the availability questions that arise when digital time stamps are used for preserving the evidentiary value of electronic documents We analyze the time - stamping protocols known to date and point out some weaknesses that have not been addressed so far in scien - ti c literature Without addressing and solving them, any advantag...

. We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be significantly tightened. 1 I...

Digitally signed documents (e.g. contracts) would quickly lose their validity if the signing keys were revoked or the signature scheme was broken. The conventional validation techniques have been designed just for ephemeral use of signatures and are impractical for long-term validation. We present a new scheme that: (1)pro vides fast revocation whi...

This paper initiates a study of accountable certificate management methods, necessary to support long-term authenticity of digital documents. Our main contribution is a model for accountable certificate management, where clients receive attestations confirming inclusion/removal of their certificates from the database of valid certificates. We expla...

. Binary Linking Schemes (BLS) for digital time-stamping [3] provide (1) relative temporal authentication to be performed in logarithmic time, and (2) time-certificates of reasonable size, which together with the data published in a widely available medium enable the verifier to establish their relative temporal positions, even if the database held...

One of the main factors for developing a well functioning legal background for the use of electronic documents as evidence in the court is the presence of a reliable timestamping infrastructure. Many countries are currently working on their national digital signature law. The current paper emphasises some of the problems arised during the work of t...

We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be significantly tightened.

Data communication uses RSA for key exchange and IDEA for block encryption. The presented design employs both modular arithmetic and IDEA using the same 96-bit ALU for calculations. The one chip 1.0 m 104 mm 2 CMOS design can also generate and hold keys for asymmetric key exchange systems and has internal self-test. I. INTRODUCTION Data Encryption...

Efficient secure time-stamping schemes employ a 2-level approach in which the time-stamping service operates in rounds. We say that a time-stamping service is accountable if if it makes the TSA and other authorities accountable for their actions by enabling a principal to detect and later prove to a judge any frauds, including attempts to reorder t...

. Binary Linking Schemes (BLS) for digital time-stamping [3]provide (1) relative temporal authentication to be performed in logarithmictime, and (2) time-certificates of reasonable size, which togetherwith the data published in a widely available medium enable the verifierto establish their relative temporal positions, even if the database heldby t...

We state the basic requirements for time-stamping systems applicable as the necessary support to the legal use of electronic documents. We analyze the main drawbacks of the time-stamping systems proposed to date and present a new system that meets all the stated requirements. We prove that these requirements cannot be signi cantly tightened. 1

The congruence lattices of graphs satisfying a given lattice identity are studied. A complete characterization of all finite graphs for which the congruence lattice lies in a given lattice variety is presented.

A test synthesis and analysis system Turbo Tester (TT) has been developed and installed on IBM PC/ATs for teaching graduate and undergraduate courses in integrated circuits design and test at the Technical University of Tallinn in Estonia. In TT, different methods for test pattern generation (random, deterministic, mixed), fault simulation (two- an...

"B. Natural and Exact Sciences." Thesis (Ph. D.)--Tallinn Technical University, 1999. Includes bibliographical references (p. 97-99) and index.