Yiannis Tsiounis’s research while affiliated with Northeastern University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (24)


Group Encryption.
  • Conference Paper
  • Full-text available

December 2007

·

139 Reads

·

38 Citations

·

Yiannis Tsiounis

·

We present group encryption, a new cryptographic primitive which is the encryption analogue of a group signature. It possesses similar verifiability, security and privacy properties, but whereas a group signature is useful whenever we need to conceal the source (signer) within a group of legitimate users, a group encryption is useful whenever we need to conceal a recipient (decryptor) within a group of legitimate receivers. We introduce and model the new primitive and present sufficient as well as necessary conditions for its generic implementation. We then develop an efficient novel number theoretic construction for group encryption of discrete logarithms whose complexity is independent of the group size. As part of achieving this we construct a new public-key encryption for discrete logarithms that satisfies CCA2-key-privacy and CCA2-security in the standard model (this gives the first Pailler-based system with the above two properties proven in the standard model). Applications of group encryption include settings where a user wishes to hide her preferred trusted third party or even impose a hidden hierarchy of trusted parties while being required to assure well-formed ciphertexts, as well as oblivious storage settings where the set of retrievers need to be verifiable but the storage distribution should be oblivious to the server.

Download

“Indirect discourse proofs”: Achieving efficient Fair Off-Line e-cash

October 2006

·

50 Reads

·

92 Citations

Cryptography has been instrumental in reducing the involvement of over-head third parties in protocols. For example; a digital signature scheme assures a recipient that a judge who is not present at message transmission will nevertheless approve the validity of the signature. Similarly, in off-line electronic cash the bank (which is off-line during a purchase) is assured that if a user double spends he will be traced. Here we suggest the notion of Indirect Discourse Proofs with which one can prove indirectly yet efficiently that a third party has a certain future capability (i.e., assure Trustees can trace). The efficient proofs presented here employ algebraic properties of exponentiation (or functions of similar homomorphic nature). Employing this idea we present the concept of Fair Off-Line e-Cash (FOLC) system which enables tracing protocols for identifying either the coin or its owner. Recently, the need to trace and identify coins with owners/withdrawals was identified (to avoid blackmailing and money laundering). Previous solutions that assured this traceability (called fair e-cash as they balance the need for anonymity and the prevention of criminal activities) involved third parties at money withdrawals. In contrast, FOLC keeps any third party uninvolved, thus it is fully off-line e-cash even when law enforcement is added (i.e., it is off-line w.r.t. law enforcement at withdrawals and off-line w.r.t. the bank at payments).


A Solution for Wireless Privacy and Payments based on E-cash.

January 2005

·

123 Reads

·

12 Citations

The IEEE 802.11 Wireless Local Area Network (WLAN) specifications have been the subject of increased attention due to their rapid commercial adaptation and the introduction of new security and privacy concerns. The IEEE 802.1x standard was introduced in order to overcome the initial security shortcomings of the Wired Equivalent Privacy (WEP) protocol. The IEEE 802.1x standard is an extensible standard that couples 802.11 networks with various authentication services through the incorporation of an Extensible Authentication Protocol (EAP) authentication dialog. The existing implementations of EAP dialogs are based on standard cryptographic solutions for authentication and session key generation but do not, however, provide any form of user anonymity or privacy. Anonymity and privacy are currently of pressing interest, especially in the context of WLANs, which are simultaneously the best medium to provide privacy (there is no physical phone number or connection end-point with a predetermined owner) as well as the most threatening medium to user privacy, as they have the potential of disclosing not only the identity of the user, but also their physical location. At the same time, the potential "perfect hiding" capabilities of WLAN users also highlights the need to control anonymity by introducing more flexible authentication mechanisms. Moreover, payment for wireless services is completely decoupled from the above procedures, raising additional efficiency and privacy concerns. In this work we propose a new EAP authentication dialog based on anonymous electronic cash that provides for privacy, anonymity control, payment acceptance and billing, and authentication. Our solution is based on the notion of "public-key embedding e-cash," an e-cash variant we present and formalize in this paper. We present a concrete description of the new EAP authentication dialog in the context of IEEE 802.1x. We also present an effi- cient implementation of a public-key embedding e-cash scheme based on RSA blind signatures and prove its security.


Electronic Payments: where do we go from here?

September 2004

·

118 Reads

·

8 Citations

Currently, the Internet and the World Wide Web on-line business has boomed, with tra#c, advertising and content growing at sustained exponential rates. However, the full potential of on-line commerce has not been possible to realize due to the lack of convenient and secure electronic payment methods (e.g., for buying e-goods and paying with e-money). Although it became clear very early that it is vital for payments to be safe and e#cient, and to avoid requiring complicated user intervention, it is still the case that the Internet payment method of choice today is that of traditional credit cards. Despite their widespread use and market penetration, these have a number of significant limitations and shortcomings, including lack of security, lack of anonymity, inability to reach all audiences due to credit requirements, large overhead with respect to payments, and the related ine#ciency in processing small payment amounts.



Traceable Signatures

February 2004

·

187 Reads

·

252 Citations

Lecture Notes in Computer Science

This work presents a new privacy primitive called “Traceable Signatures”, together with an efficient provably secure implementation. To this end, we develop the underlying mathematical and protocol tools, present the concepts and the underlying security model, and then realize the scheme and its security proof. Traceable signatures support an extended set of fairness mechanisms (mechanisms for anonymity management and revocation) when compared with the traditional group signature mechanism. The extended functionality of traceable signatures is needed for proper operation and adequate level of privacy in various settings and applications. For example, the new notion allows (distributed) tracing of all signatures of a single (misbehaving) party without opening signatures and revealing identities of any other user in the system. In contrast, if such tracing is implemented by a state of the art group signature system, such wide opening of all signatures of a single user is a (centralized) operation that requires the opening of all anonymous signatures and revealing the users associated with them, an act that violates the privacy of all users. To allow efficient implementation of our scheme we develop a number of basic tools, zero-knowledge proofs, protocols, and primitives that we use extensively throughout. These novel mechanisms work directly over a group of unknown order, contributing to the efficiency and modularity of our design, and may be of independent interest. The interactive version of our signature scheme yields the notion of “traceable (anonymous) identification.”


A Security Framework for Card-Based Systems

February 2001

·

15 Reads

·

2 Citations

Lecture Notes in Computer Science

The legal framework provided by the Electronic Signature Act, enacted to law as of October 1, 2000, has fueled the interest for digital signature-based payment transactions over the Internet. The bulk of formalization and security analysis to date on such secure payments has focused on creating new secure channels for existing credit or debit card systems (iKP and SET). But there has been no formal modeling, or an attempt to strengthen of the security of, the card systems themselves. In this paper we present a simple but formal communication and security model for all card-based payments, encompassing credit, debit and pre-paid cards, and proceed to propose CardSec, a new family of card-based systems which can be proven secure under this model. In the process we also analyze the security of existing credit, debit and pre-paid card systems, both for Internet and for brick and mortar payments. We then present an efficient implementation of CardSec in the form of the InternetCash™ card system and analyze its security in detail. We take the opportunity to describe the InternetCash Payment Protocol (ICPP) which can be used for creating a secure channel between Transaction Processor and Customer for all Internet-bound transactions, thus acting as an alternative to iKP and SET, and offering more security than systems utilizing limited-use credit card numbers. We conclude with a discussion on pre-authorization, refunds and customer service issues.


Exact Analysis of Exact Change: The k-Payment Problem

October 2000

·

93 Reads

·

2 Citations

SIAM Journal on Discrete Mathematics

We introduce the k-payment problem: given a total budget of N units, the problem is to represent this budget as a set of coins, so that any k exact payments of total value at most N can be made using k disjoint subsets of the coins. The goal is to minimize the number of coins for any given N and k, while allowing the actual payments to be made on-line, namely without the need to know all payment requests in advance. The problem is motivated by the electronic cash model, where each coin is a long bit sequence, and typical electronic wallets have only limited storage capacity. The k-payment problem has additional applications in other resource-sharing scenarios. Our results include a complete characterization of the k-payment problem as follows. First, we prove a necessary and sufficient condition for a given set ofcoins to solve the problem. Using this characterization, we prove that the number of coins in any solution to the k-payment problem is at least kHN/k, where Hn denotes the nth element in the harmonic series. This condition can also be used to efficiently determinek (the maximal number of exact payments) which a given set of coins allows in the worst case. Secondly, we give an algorithm which produces, for any N and k, a solution with minimal number of coins. In the case that all denominations are available, the algorithm finds a coin allocation with at most (k+1)HN/(k+1) coins. (Both upper and lower bounds are the best possible.) Finally, we show how to generalize the algorithm to the case where some of the denominations are not available.


Electronic Payments: Where Do We Go from Here?

October 1999

·

71 Reads

·

8 Citations

·

David M’Raihi

·

Yiannis Tsiounis

·

[...]

·

Rainer Baumgart

Currently, the Internet and the World Wide Web on-line business is booming, with traffic, advertising and content growing at sustained exponential rates. However, the full potential of on-line commerce has not been possible to realize due to the lack of convenient and secure electronic payment methods (e.g., for buying e-goods and paying with e-money). Although it became clear very early that it is vital for payments to be safe and efficient, and to avoid requiring complicated user intervention, it is still the case that the Internet payment method of choice today is that of traditional credit cards. Despite their widespread use and market penetration, these have a number of significant limitations and shortcomings, including lack of security, lack of anonymity, inability to reach all audiences due to credit requirements, large overhead with respect to payments, and the related inefficiency in processing small payment amounts. These limitations (some of which are present in the real world) prompted the design of alternative electronic payment systems very early in the Internet age–even before the conception of the World Wide Web. Such designs promised the security, anonymity, efficiency, and universal appeal of cash transactions, but in an electronic form. Some early schemes, such as the one proposed by First Virtual, were built around the credit card structure; others, such as the scheme developed by DigiCash, offered a solution with cryptographic security and payer anonymity. Still others, such as Millicent, introduced micropayment solutions. However, none of these systems managed to proliferate in the marketplace, and most have either ceased to exist or have only reached a limited audience. This paper is associated with a panel discussion whose purpose is to address the reasons why the international e-commerce market has rejected proposed solutions, and to suggest new ways for electronic payments to be used over the Internet, avoiding the problems inherent in credit card transactions. The purpose of this paper is to set the stage for such a discussion by presenting, in brief, some of the payment schemes currently available and to discuss some of the basic problems in the area.


Mis-representation of Identities in E-cash Schemes and how to Prevent it

October 1999

·

60 Reads

·

6 Citations

. In Crypto '93, S. Brands presented a very efficient off-line electronic cash scheme based on the representation problem in groups of prime order. In Crypto '95 a very efficient off-line divisible e-cash scheme based on factoring Williams integers was presented by T. Okamoto. We demonstrate one efficient attack on Okamoto's scheme and two on Brands' scheme which allow users to mis-represent their identities and doublespend in an undetectable manner, hence defeating the most essential security aspect of the schemes. The attack on Brands' scheme is also applicable to T. Eng and T. Okamoto's divisible e-cash scheme (presented in Eurocrypt '94) which uses Brands' protocols as a building block. We present an efficient modular fix which is applicable to any use of the Brands' idea, and we discuss how to counteract the attack on Okamoto's scheme. Hence the original results remain significant contributions to electronic cash. 1 Introduction In Crypto '95, Okamoto [Oka95] presented a very eff...


Citations (17)


... Brand introduced a restrictive blind signature scheme where a client provides zero-knowledge proof along with his identity in the resulting blind signature [6,7]. The scheme is inadequate to prevent double spending of e-coin if a malicious user can construct a forged identity and can spend the e-coin multiple times [8]. Fujisaki and Okamoto introduced a partially blind signature to overcome the downsides of carrying public and private keys where bank needs to maintain a huge database of every client [9,10]. ...

Reference:

Design of electronic payment system based on authenticated key exchange
Mis-representation of identities in e-cash schemes and how to prevent it
  • Citing Article
  • January 1996

Lecture Notes in Computer Science

... It is related to certain well-known problems [16] such as postagestamp problem, knapsack problem, and change-making problem. The closest one is the k-payment problem [17], which was motivated by electronic cash model, where exact representation of each payment by the corresponding set of coins is required. Our problem, in contrast, is motivated by optical switching, where the hardware cost depends on the size of switching matrix, while the switched wavebands (coins) may or may not be completely occupied by wavelengths (units) unlike the k-payment problem. ...

Exact Analysis of Exact Change: The k-Payment Problem
  • Citing Article
  • October 2000

SIAM Journal on Discrete Mathematics

... Nevertheless, some alternative e-cash systems were proposed that managed to avoid the growth of the e-cash data (D'Amiano and Di Crescenzo, 1994;Okamoto, 1995). However, as mentioned in Chan et al. (1998), Tsiounis (1997), those e-schemes had other issues such as the limit of the total size of payments or lack of efficiency of e-cash protocols. In Fuchsbauer (2009) an attempt was made to construct a transferable e-cash scheme without the aforementioned data growth problem. ...

Efficient Electronic Cash: New Notions and Techniques
  • Citing Article

... We note that revocable anonymity is a concept which has been considered at great length in other fields, such as digital cash [27,28,31,10,17]. In digital cash, it is particularly important that it should be possible to link an electronic coin to the person who spent it once the transaction has occurred (for example, that coin may have been spent twice, or spent illegally). ...

Electronic Payments: Where Do We Go from Here?

... En la década de los noventa, toma impulso el movimiento Cypherpunk, inspirado en los principios de la anarquía digital y un conocimiento de matemáticas avanzadas, alentando el uso de sistemas criptográficos que permitieran salvaguardar la información personal y la privacidad en los pagos (Cavaller Riva y Ortega Yubro, 2021). Por estos años, nacieron proyectos como B-Money (Brands, 1994) y Bit Gold (Frankel et al., 1996) con la intención de eliminar a los intermediarios en los procesos de negociación. Cabe destacar la iniciativa de David Chaum que en 1990 lanza DigiCash y, posteriormente, eCash, que permitía realizar pagos con dinero electrónico a través de computadoras empleando solamente un software. ...

“Indirect discourse proofs”: Achieving efficient Fair Off-Line e-cash
  • Citing Chapter
  • October 2006

... The idea of determining whether a committed integer falls within a given range was first proposed in [19] and further expanded in [13,15]. The CFT Proof [16] achieves the goal of demonstrating that a secret value is within a given range. However, the CFT proof has a very high expansion rate. ...

Easy Come - Easy Go Divisible Cash.

... After double spending, the bank would be able to clear the structure in a polynomial time. Although Brands' scheme suffers from some weaknesses in misrepresenting the identity of the customer [17], some solutions have been proposed to prevent these weaknesses [10] [17]. Afterward, some schemes have been presented, which use a similar method to Bands' restrictive blind signature, to detect the identity of a double spender [18] [19] [20]. ...

Mis-representation of Identities in E-cash Schemes and how to Prevent it.

... This technology prevented centralized institutions that provide signatures from linking users to their transactions. A series of other digital currency payment technologies like J. Wu et al. universal electronic cash (Okamoto and Ohta, 1991), untraceable offline cash (Brands, 1993), fair blind signatures (Stadler et al., 1995), fair off-line e-cash (Frankel et al., 1996) later emerged in the 1990s. However, a common problem existed in these technologies is that-trusted third parties are needed to detect double spending attacks. ...

"Indirect Discourse Proofs": Achieving Efficient Fair Off-Line E-Cash

... Nevertheless, in 1998, Frankel, Tsiounis and Yung in [26] pointed out that to date, there have been no efficient systems that could offer provable security. They proposed a fair off-line e-cash system, where the trusted third party could revoke the anonymity under a warrant or in the case of specified suspicious activity. ...

Fair Off-Line e-Cash made easy

Lecture Notes in Computer Science

... Our scheme adopts credit-based charging, i.e. the system charges each mobile user after it has finished a sequence of services for the user, just as the practical situation in the real world. It is different from the others which provided approaches of debit-based charging, i.e. each mobile user has to purchase payment token(s) before she/he starts accessing the services provided by the system [6,12]. What are the differences between charging mobile users in advance and charging them after the services? ...

A Solution for Wireless Privacy and Payments based on E-cash.
  • Citing Conference Paper
  • January 2005