PRIVATE BIDDING FOR MOBILE AGENTS

Bartek Gedrojc, Kathy Cartrysse, Jan C. A. van der Lubbe

Delft University of Technology

Mekelweg 4, 2628 CD, Delft, the Netherlands

Keywords:

Untrustworthy Environments, Oblivious Third Party, Φ-Hiding Assumption, ElGamal, Mobile Software

Agents, Multi-Party Computation.

Abstract:

A major security and privacy threat for Mobile Software Agents are Untrustworthy Environments; which are

able to spy on the agents’ code and private data. By combining Multi-Party Computation with ElGamal public-

key encryption system we are able to create a protocol capable of letting two agents have a private bidding

within an Honest-but-Curious environment only with the help of an Oblivious Third Party. The Oblivious

party is able to compare two encrypted inputs without being able to retrieve any information about the inputs.

1 INTRODUCTION

In this vast growing digital era we are more often sur-

rounded by intelligent devices which can support us

in our daily life. While information ﬂows through

these ambient devices, which are not only connected

to local networks but also to the outside world, we

can expect to encounter security and privacy threats.

The most alarming threat is the malicious user who

has the ability to create malicious agents, spy on in-

secure communication channels but also to create un-

trustworthy environments (Claessens et al., 2003).

Every environment has total control over the infor-

mation that is executed in his digital “world” and it

can therefore manipulate the agent code. One topic

that so far received relatively little attention in lit-

erature is the execution of mobile software agents

within untrustworthy environments. Most research

focusses on malicious agents and communications,

and assumes the agents are executed in trusted envi-

ronments.

Mobile software agents may possess private infor-

mation of their user e.g. credit card numbers, personal

preferences, etc. Agents should be able to perform

tasks on behalf of their users by using this personal

information within untrustworthy environments with-

out compromising security and privacy.

One of the solutions to the untrustworthy environ-

ments problem is Execution Privacy, which strives to

the correct execution of software agents while keep-

ing the agent code and state private

In section 2 we present our model and we will dis-

cuss the relation between previous work. Section 3

describes the building blocks that are necessary to

construct the protocol. In section 4 the protocol is

presented, while section 5 discusses the security of

the protocol. Finally, section 6 ends with concluding

remarks.

2 PROBLEM DESCRIPTION

This paper addresses the private bidding problem

which was introduced by (Cachin, 1999): Alice wants

to buy some goods from Bob if the price is less than

a and Bob would like to sell, but only for more than b

and neither of them wants to reveal the secret bounds.

Our objective is to demonstrate that private bidding is

also feasible with Mobile Software Agents while this

bidding takes places in an untrustworthy environment.

To achieve this goal we are using an Oblivious Third

Party to compare the bids of Alice and Bob without

learning any information about a or b.

2.1 Model

Our private bidding for mobile agent model is almost

similar to the original private bidding model as was

described by (Cachin, 1999). Only, in our case the

277

Gedrojc B., Cartrysse K. and C. A. van der Lubbe J. (2006).

PRIVATE BIDDING FOR MOBILE AGENTS.

In Proceedings of the International Conference on Security and Cryptography, pages 277-282

DOI: 10.5220/0002102702770282

Copyright

c

SciTePress

communication between the Agents (bidders) is done

in an untrustworthy environment i.e. public environ-

ment instead of a private environment. Therefore, we

must make sure that the communication between the

agents and the ﬁnal decision on who has the highest

bid remains secure and private, even if this takes place

in an untrustworthy environment, see Figure 1.

OTP

OTP

Figure 1: Private Bidding Scenario.

Alice (A), Bob (B) and the Oblivious Third Party

(OTP) are the three parties involved in the model.

Also, Alice and Bob are mobile software agents who

share some random secret with each other. The OTP

is a trusted party that will correctly execute the inputs

a, b given by Alice or Bob, without being able to learn

any information about the inputs. The goal of Alice

and Bob is to determine if a > b. In an e-commerce

setting this means that the maximum price the buyer

(Alice) is willing to pay is greater than the minimum

price the seller (Bob) is willing to receive. Besides

this, they will only reveal their actual bids a, b if it

satisﬁes the a > b condition, otherwise they will keep

their secrets private.

Our agent bidding model is situated in an untrust-

worthy environment. Due to the hardness of the prob-

lem we assume that this environment will execute the

agents and the code correctly, but it is interested in

what it is processing. This implies that the agents are

not able to use their private keys or any other secret

data. Therefore, we will use the OTP to perform the

comparison of the inputs without revealing it to the

untrustworthy environment.

The Untrustworthy Environment is also called an

honest-but-curious adversary which was introduced

by (Rabin, 1981). Consequently, the environment

is a server executing the mobile code i.e. the mo-

bile agent, while storing all information from the

agents and all communication between the agents.

The server is not a Malicious Environment trying to

modify the mobile code. Our goal is to ensure the

server does not learn the private inputs a, b before the

agents decide privately to reveal their secret inputs

e.g. when the bidding satisﬁes a > b.

2.2 Contribution

We present a Private Bidding protocol for Mobile

Software agents while these agents are situated in

an Honest-but-Curious environment only by using an

Oblivious Third Party. Our solution mixes the Private

Agent Communication algorithm from (Cartrysse,

2005; Cartrysse and van der Lubbe, 2004) with the

Private Bidding protocol from (Cachin, 1999).

With our contribution we demonstrate that it is pos-

sible to have a secure, efﬁcient and fair private bid-

ding protocol for mobile software agents. Applica-

tions can be found in e-commerce scenarios where the

bidding takes place on a public server and where the

user has no communication with his mobile software

agents.

2.3 Related Work

Private bidding originates from the Millionaires’

problem initially described by (Yao, 1982). Fur-

ther research proved that any multi-party function can

be computed securely even without the help from

a third party (Goldreich, 2002). But, according

to (Algesheimer et al., 2001) secure mobile agents

schemes do not exist when some environment is to

learn information that depends on the agent’s current

state. Therefore, in order to merge mobile agents

with multi-party computation techniques we needed

the help of an Oblivious Third Party.

The concept of combining mobile agents and

making decisions in the encrypted domain origi-

nates from (Sander and Tschudin, 1998a; Sander

and Tschudin, 1998b). They proposed a software

only non-interactive computing with encrypted func-

tions which was based on homomorphic encryption

schemes. We elaborate on their concept by using (El-

Gamal, 1984) as the basis of our agent communica-

tion algorithm. We also manifest that the ElGamal

encryption in our model can be used with the homo-

morphic in addition property without loosing security.

The Non-Interactive CryptoComputing for N C

1

by (Sander et al., 1999) also discusses computing

with encrypted functions w.r.t. mobile agent systems.

Their solution is capable of comparing two private in-

puts but it does not provide fairness because the inputs

must be encrypted by one of the agents’ public keys.

Consequently, the results will only be available to one

of agents. Also, the private key to decrypt the result of

the comparison cannot be used in the untrustworthy

environment and therefore the agent must leave this

environment to learn the result of the computation.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

278

3 BUILDING BLOCKS

Before discussing the private bidding protocol in

paragraph 4 we will elaborate more on the crypto-

graphic techniques which we have used.

3.1 Φ-Hiding Assumption

Our model is based on the Φ-Hiding Assumption (Φ-

HA) published by (Cachin et al., 1999), which states

the difﬁculty of deciding whether a small prime di-

vides φ(m), where m is a composite integer of un-

known factorization. We use the Φ-HA as follows:

Choose randomly m that hides a prime p

0

so it is hard

to distinguish if p

0

or p

1

is a factor of φ(m), where p

1

is randomly and independent chosen i.e. it is compu-

tationally indistinguishable.

Let us choose m = p

′

q

′

where p

′

is a safe prime

(prime p is a safe prime if

p−1

2

is also a prime) and q

′

is a quasi-safe prime. We compute p

′

= 2q

1

+ 1 and

q

′

= 2pq

1

+ 1, where q

1

is a prime and p, q

2

are odd

primes.

The Euler totient function φ(m) is deﬁned as the

number of positive integers ≤ m which are relative

prime to m. This results in the Euler totient theorem

g

φ(m)

≡ 1 mod m

(1)

where g ∈ Z. Next, we compute the Euler totient

function:

φ(m) = φ(p

′

q

′

) = (p

′

− 1)(q

′

− 1)

= (2q

1

+ 1 − 1)(2pq

1

+ 1 − 1)

= (2q

1

)(2pq

2

) = 4pq

1

q

2

(2)

Combining (1) and (2) we can compute:

g

4pq

1

q

2

≡ 1 mod m

(3)

Given a set of primes P = {p

1

, . . . , p

n

} where n ≥ 0

we can compute

Q

n

i=0

p

i

. Also, by computing m that

hides a prime p we can use the Φ-HA to determine if

P contains a p-th root module m using the factoriza-

tion of m. To perform this check one computes

g

4pq

1

q

2

p

n

i=0

p

i

≡ 1 mod m

(4)

if it is congruent to 1 modulo m then the set P hides

p else is does not. Note that m hides p if and only

if p|φ(m). It is important that the g ∈ Z should not

be a p-th root module m i.e. there exists no µ such

that µ

p

≡ g mod m. Therefore, we should choose

g ∈ QR

m

because p should not be an even prime.

3.2 Homomorphic E-E-D

In (Cartrysse and van der Lubbe, 2004) an algorithm

is described that is able to encrypt a message m with

the key of Alice and send it to Bob who encrypts the

message again with his own key. Resulting in the

message to be send back to Alice, who will be able

to decrypt the message and be left with the message

encrypted by Bob. This algorithm, as visualized in

Figure 2 is know as E-E-D (Encryption-Encryption-

Decryption).

x

E

pk1

(x) E

pk2

(E

pk1

(x)) E

pk2

(x)

Figure 2: E-E-D model.

Our private bidding model uses this E-E-D prop-

erty, as well as the homomorphic addition based on

ELGamal encryption (ElGamal, 1984). The idea be-

hind the model is to encrypt two messages with differ-

ent keys and add them together. Next, the messages

are decrypted with the ﬁrst key and the result will be

the addition of the two messages which are only en-

crypted with the second key, see Figure 3.

x

1

E

pk1

(x

1

) E

pk2

(E

pk1

(x

1

))

pk1 pk2

E

pk1

(x

2

) E

pk2

(E

pk1

(x

2

))

E

pk2

(x

1

+x

2

)

k1

x

2

E

pk2

(E

pk1

(x

1

+x

2

))

Figure 3: Homomorphic E-E-D in Addition model.

We generate a large prime p and a generator g ∈

Z

∗

p

. We choose a random integer a

1

, 1 ≤ a

1

≤ p − 2

and compute ω = g

a

1

mod p. We also need to select

a random integer k

1

, 1 ≤ k

1

≤ p − 2 and compute the

following

γ

1

= g

k

1

mod p

δ

1,x

1

= x

1

ω

k

1

mod p

The public key (pk1) is (p, g, ω

1

), the message is

x

1

, the cipher text is c

1,x

1

= (γ

1

, δ

1,x

1

) and the secret

key (sk1) is a

1

. Next we can encrypt δ

1,x

1

, using a

new public key ω

2

but with the same generator g and

prime p. We must also compute ω

2

= g

a

2

mod p and

use this to encrypt the message using the following

γ

2

= g

k

2

mod p

δ

2,x

1

= δ

1,x

1

ω

k

2

2

mod p = x

1

ω

k

1

1

ω

k

2

2

mod p

The public key (pk2) is (p, g, ω

2

), the cipher text

is c

2,x

1

= (γ

1

, δ

2,x

1

) and the secret key (sk2) is

a

2

. For convenience we can write the above steps

as E

pk2

(E

pk1

(x

1

)) which represent the top left two

function blocks from Figure 3.

We also want to encrypt a message x

2

with the

same keys and the same random integers k

1

, k

2

as

PRIVATE BIDDING FOR MOBILE AGENTS

279

message x

1

, which can be calculated as above. We

can write this result as E

pk2

(E

pk1

(x

2

)) which repre-

sents the two bottom left function blocks from Figure

3. Next we can add the two encrypted messages δ

2,x

1

,

δ

2,x

2

using the homomorphic property of ElGamal as

follows

δ

2,x

1

+ δ

2,x

2

= δ

1,x

1

ω

k

2

2

mod p + δ

1,x

2

ω

k

2

2

mod p

= x

1

ω

k

1

1

ω

k

2

2

mod p + x

2

ω

k

1

1

ω

k

2

2

mod p

= (x

1

+ x

2

)ω

k

1

1

ω

k

2

2

mod p

= δ

2,x

1

+x

2

= x

The two encrypted messages δ

2,x

1

, δ

2,x

2

can only

be added to one another when they are both encrypted

with the same public keys and with the same k

1

, k

2

.

The result is E

pk2

(E

pk1

(x

1

+ x

2

)) and can be de-

crypted using the ﬁrst private key a

1

and the follow-

ing formula

x

′

= D

sk1

(x) =

δ

2,x

1

+x

2

γ

a

1

1

mod p

=

(x

1

+ x

2

)ω

k

1

1

ω

k

2

2

g

k

1

a

1

mod p

= (x

1

+ x

2

)ω

k

2

2

mod p

We now have the ﬁrst and the second message

added to one another and encrypted with the second

public key pk2, which can be written as

D

sk1

(E

pk2

(E

pk1

(x

1

+ x

2

))) = E

pk2

(x

1

+ x

2

) = x

′

Consequently, decrypting x

′

produces the following

D

sk1

(x

′

) =

x

′

γ

a

2

2

mod p

=

(x

1

+ x

2

)ω

k

2

2

g

k

2

a

2

mod p

= x

1

+ x

2

which is the addition of the two messages without en-

cryption (plaintext).

It has to be noticed that according to the

Difﬁe-Hellman problem it is impossible to compute

g

ak

mod p from g

a

mod p and g

k

mod p (Difﬁe and

Hellman, 1976). This means that the key a and the

random integer k must remain secure, and prefer-

ably be changed frequently. We have chosen to make

a double encryption by one user using an equal k,

because otherwise we cannot use the homomorphic

property in addition of the ElGamal encryption. A se-

curity evaluation will follow in paragraph 5 concern-

ing the use of this identical k.

4 PROTOCOL

The protocol starts by letting the Oblivious Third

Party (OTP) generate an ElGamal key-pair with the

public-key E

pkt

and the secret-key D

skt

.

The buyer Alice does not want to spend more than

her maximum amount a, which can be represented as

a binary string. She also chooses random and inde-

pendent values x

l

, x

l−1

, . . . , x

0

∈ Z, r

l−1

, . . . , r

0

∈

Z and s

l−1

, . . . , s

0

∈ Z, where l is the amount of bits

needed for a and b, and where b is the minimum price

of Bob the seller.

Alice needs to deﬁne an n-bit prime p

a

= λ(t

a

)

where t

a

∈ {0, 1}

n

is randomly chosen. Using λ(x)

she can map a string x to an n-bit prime p e.g. by

ﬁnding the smallest prime greater than x. Then Alice

generates a random m

A

using the Φ-Hiding Assump-

tion, as described above, which hides her prime p

a

.

She also computes G

a

=

φ(m

a

)

p

a

which is kept secret

from the OTP.

Next, a key κ for the hash function H

κ

must be

generated and published. Then Alice needs to calcu-

late ϕ

a,j

using the hash function H

κ

(x

j

+ s

j

) and

compute the following for j = l − 1, . . . , 0

ϕ

a,j

= H

κ

(x

j

+ s

j

) ⊕ t

a

Alice also needs to encrypt the input string a

j

using

her public-key E

pka,j

and random integers k

a,j

for

j = l − 1, . . . , 0. This has to be “sealed” using the

public-key of the OTP and the random integers k

t,j

y

a,j

=

E

pkt,j

(E

pka,j

(x

j

− x

j+1

+ r

j

))

E

pkt,j

(E

pka,j

(x

j

− x

j+1

+ s

j

+ r

j

))

if a

j

= 0

if a

j

= 1

The bidding is prepared for Bob by Alice using the

same cryptosystem with random integers k

t,j

, k

a,j

and public-keys E

pkt,j

y

b,j

=

y

b0,j

= E

pkt,j

(E

pka,j

(−r

j

))

y

b1,j

= E

pkt,j

(E

pka,j

(−s

j

− r

j

))

if b

j

= 0

if b

j

= 1

She also computes

Ψ

b,j

= H

κ

(x

j

− s

j

)

and sends it to Bob.

Bob is able to acquire the public y

b0,j

, y

b1,j

and

compute according his own input string b

j

, y

b,j

. Be-

cause y

a,j

is also publicly available he can compute

y

ab,j

using

y

ab,j

= y

a,j

+ y

b,j

(5)

To be sure that the Untrustworthy Environment will

not be able to construct b from y

ab

Bob has to encrypt

(5) again, by computing

w

ab,j

= E

pkt,j

(y

ab,j

)

The only requirement is that Bob uses the same cryp-

tosystem as Alice is using, in other words he has to

use the same generator g and prime p but he can use a

different k.

Bob has already chosen a t

b

∈ {0, 1}

n

, deﬁned

an n-bit prime p

b

= λ(t

b

) and generated a random

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

280

m

b

. He also computes G

b

=

φ(m

b

)

p

b

and keeps this

secret from the OTP. Bob receives from Alice Ψ

a,j

and computes before entering the environment for

j = l − 1, . . . , 0

ϕ

b,j

= Ψ

a,j

⊕ t

b

Alice and Bob have prepared their bidding using

the public information and are now able to move into

the Untrustworthy Environment. Then Bob sends

ϕ

b,j

, m

b

and w

ab,j

to Alice.

Alice is able to decrypt w

ab,j

because she is in pos-

session of the secret-key D

ska,j

z

j

= D

ska,j

(w

ab,j

)

= D

ska,j

(E

pkt,j

(E

pkt,j

(E

pka,j

(y

ab,j

))))

= E

pkt,j

(E

pkt,j

(y

ab,j

))

The bidding is prepared and Alice sends

κ, x

l

, z

l−1

, . . . , z

0

, ϕ

a,l−1

, . . . , ϕ

a,0

ϕ

b,l−1

, . . . , ϕ

b,0

, m

a

, m

b

to the OTP.

The OTP makes c

l

= x

l

and chooses g

a,l

∈ QR

m

a

,

g

b,l

∈ QR

m

b

by selecting a random element of Z

m

a

,

respectively Z

m

b

, and squaring it. For j = l−1, . . . , 0

the following ﬁve steps are repeated

1.c

j

= c

j+1

+ D

skt,j

(D

skt,j

(z

j

))

2.q

a,j

= λ(H

κ

(c

j

) ⊕ ϕ

a,j

)

3.g

a,j

= (g

a,j+1

)

q

a,j

mod m

a

4.q

b,j

= λ(H

κ

(c

j

) ⊕ ϕ

b,j

)

5.g

b,j

= (g

b,j+1

)

q

b,j

mod m

b

After this iteration the OTP chooses r

a

∈ Z

m

a

,

r

b

∈ Z

m

b

randomly and independently, computing

h

a

= (g

a,0

)

r

a

h

b

= (g

b,0

)

r

b

where h

a

is send to Alice and h

b

is send to Bob.

Both agents can test the result given by the OTP

by using the factorization of m

a

and m

b

. Alice can

check if a > b

h

G

a

a

= h

φ(m

a

)

p

a

a

≡ 1 mod m

a

Similarly, Bob can check if a < b by computing

h

G

b

b

= h

φ(m

b

)

p

b

b

≡ 1 mod m

b

5 SECURITY

The original private bidding protocol by (Cachin,

1999) did not use ElGamal for the communication be-

tween the bidders. Our choice for ElGamal was de-

ﬁned by the use of the E-E-D algorithm, which also

implies that we could not encrypt 0 because it did not

lie in the group. Therefore, we had to add an extra

parameter r

j

to solve this problem.

Secure: Our protocol is secure if the bidding takes

place in a honest-but-curious environment that does

not conspire with the OTP e.g. the environment

should not give the private-key of Alice to the OTP

which is used to decrypt w

ab,j

.

Private-key: The environment is able to spy on

the agents’ code and communication. Therefore it

possesses the private decryption key of Alice D

ska,j

.

This private-key is only known by the environment

and Alice, and should not be know by the OTP. This

is not a threat, because one of the constraints of the

model is that the OTP and the environment do not

conspire. Even, if the environment decrypts the in-

puts, it is still not able to recover the plaintext because

it needs the private-key of the OTP.

Conspire: The OTP and the environment should

not conspire otherwise the OTP is able to learn the pri-

vate inputs a, b of Alice and Bob. Using the private-

key of Alice, the OTP is able to learn the plaintext

content of y

a,j

and y

b,j

which are the transformed

private bids of the agents. To do so, he also needs

to know if y

b,j

corresponds with b

j

= 0 or b

j

= 1.

When the OTP possesses G

a

or G

b

, given by the

environment, then it is capable of checking after every

iteration in the ﬁnal stage of the protocol when it con-

tains a p-th root modulo m

a

or m

b

. This means the

OTP will learn in which bit-position j the inputs a

and b are different for the ﬁrst time. It will also know

that the bits before j are equal. Therefore, G

a

and G

b

should not be known to the OTP.

Fair: The protocol is fair because both Alice and

Bob are able to check individually what the result is

of the comparison computed by the OTP.

Efﬁcient: While only having two messages be-

tween Alice and Bob and two messages between the

bidders and the OTP, we can say the protocol is ef-

ﬁcient. The efﬁciency is gained by using an OTP

with standard cryptographic techniques instead of us-

ing circuits.

Random k: ElGamal is not secure if we us the ho-

momorphic in addition property, because we have to

keep the random k identical for every encryption. In

our case we also keep the k the same but we claim

this is secure. Alice is the only one who encrypts the

messages y

a,j

, y

b0,j

and y

b1,j

therefore she is the only

one who knows the content of the messages; which is

also not known to Bob. Suppose the same k is used to

encrypt two messages x

1

and x

2

and the result is the

ciphertext pairs (γ

1

, δ

1

) and (γ

2

, δ

2

). Then

δ

1

δ

2

=

x

1

x

2

(6)

is easily computed if x

1

or x

2

is known (Menezes

et al., 1996). In our case, the messages are only

PRIVATE BIDDING FOR MOBILE AGENTS

281

known to Alice and therefore no other entity is ca-

pable of computing (6). We therefore assume that the

use of the identical k does not make our model inse-

cure.

Cheating bidder: Alice initiates the private bid-

ding, therefore she can cheat the protocol. This could

be prevented by adding commitments and letting the

OTP be more actively involved in the bidding process.

If Bob would collude with the environment and get

access tot the private-key of Alice, he could use the

OTP as an oracle by querying it and gaining access to

her private data.

6 CONCLUSION

We have presented our private bidding protocol that

keeps the bids of the bidders private if the communi-

cation is executed in an honest-but-curious environ-

ment and where the involved parties do not collude

with one another. We have also seen that the system

crumbles if one of the parties is malicious, and manip-

ulates the data or communication. We have demon-

strated that private bidding is possible for mobile soft-

ware agents, but future work is needed to make the

system more resilient.

REFERENCES

Algesheimer, J., Cachin, C., Camenisch, J., and Karjoth, G.

(2001). Cryptographic security for mobile code. In

Proceedings of the IEEE Symposium on Security and

Privacy, page 2. IEEE Computer Society.

Cachin, C. (1999). Efﬁcient private bidding and auctions

with an oblivious third party. In CCS ’99: Proceedings

of the 6th ACM conference on Computer and com-

munications security, pages 120–127, New York, NY,

USA. ACM Press.

Cachin, C., Micali, S., and Stadler, M. (1999). Compu-

tationally private information retrieval with polyloga-

rithmic communication. Lecture Notes in Computer

Science, 1592:402–414.

Cartrysse, K. (2005). Private Computing and Mobile Code

Systems. PhD thesis, Delft University of Technology.

Cartrysse, K. and van der Lubbe, J. (August 2004). Privacy

in mobile agents. First IEEE Symposium on Multi-

Agent Security and Survivability.

Claessens, J., Preneel, B., and Vandewalle, J. (2003). (how)

can mobile agents do secure electronic transactions on

untrusted hosts? a survey of the security issues and the

current solutions. ACM Trans. Inter. Tech., 3(1):28–

48.

Difﬁe, W. and Hellman, M. (1976). New directions in cryp-

tography. IEEE Transactions on Information Theory,

IT-22(6):644–654.

ElGamal, T. (1984). A public key cryptosystem and a sig-

nature scheme based on discrete logarithms. In Pro-

ceedings of CRYPTO 84 on Advances in cryptology,

pages 10–18. Springer-Verlag New York, Inc.

Goldreich, O. (2002). Secure multi-party computation. Fi-

nal (incomplete) Draft, Version 1.4.

Menezes, A., Vanstone, S., and Oorschot, P. v. (1996).

Handbook of Applied Cryptography. CRC Press, Inc.

Rabin, M. O. (1981). How to exchange secrets with obliv-

ious transfer. Cryptology ePrint Archive, Report

2005/187. http://eprint.iacr.org/.

Sander, T. and Tschudin, C. F. (1998a). Protecting mobile

agents against malicious hosts. Lecture Notes in Com-

puter Science, 1419:44–60.

Sander, T. and Tschudin, C. F. (1998b). Towards mobile

cryptography. In Proceedings of the IEEE Symposium

on Security and Privacy, Oakland, CA, USA. IEEE

Computer Society Press.

Sander, T., Young, A., and Yung, M. (1999). Non-

interactive cryptocomputing for NC 1. In IEEE Sym-

posium on Foundations of Computer Science, pages

554–567.

Yao, A. (1982). Protocols for secure computations. In

Carberry, M. S., editor, Proceedings of the 23rd An-

nual IEEE Symposium on Foundations of Computer

Science, Chicago IL, pages 160–164. IEEE Computer

Society Press.

SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY

282