The Dancing Bear: A New Way of Composing Ciphers

  • Ross Anderson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3957)


This note presents a new way of composing cryptographic primitives which makes some novel combinations possible. For example, one can do threshold decryption using standard block ciphers, or using an arbitrary mix of different decryption algorithms – such as any three keys out of two AES keys, a 3DES key, an RSA key and a one-time pad. We also provide a new way to combine different types of primitive, such as encryption and signature. For example, Alice can construct a convertible signature that only Bob can verify, but which he can make world-verifiable using an AES key. We can incorporate even more exotic primitives, such as micropayments and puzzles, into compound constructs.

Previously, there had been two basic ways to combine cryptographic primitives. One could either design a compound primitive, perhaps using the homomorphic properties of discrete exponentiation, or one could embed several primitives into a protocol. Neither is ideal for all applications, and both have been extremely vulnerable to design errors. We provide a third construction that also allows the designer to do new things. We show, for example, how to incorporate cyclic dominance into a cryptographic mechanism, and how it might be used in a digital election scheme. Our new construction not only complements existing ways of composing crypto primitives; it also has the virtue of simplicity.


Block Cipher Stream Cipher Cryptographic Primitive Homomorphic Property Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Needham, R.M.: Prudent Engineering Practice for Cryptographic Protocols. IEEE Transactions on Software Engineering 22(1), 6–15 (1996)CrossRefGoogle Scholar
  2. 2.
    Anderson, R.J.: Security Engineering – A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)Google Scholar
  3. 3.
    Anderson, R., Needham, R.: Robustness principles for public key protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 236–247. Springer, Heidelberg (1995)Google Scholar
  4. 4.
    Anderson, R.J., Biham, E.: Two Practical and Provably Secure Block Ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  5. 5.
    Bond, M., Anderson, R.J.: API-Level Attacks on Embedded Systems. IEEE Computer 34(10), 67–75 (2001)CrossRefGoogle Scholar
  6. 6.
    Boyd, C., Mao, W.: On a Limitation of BAN Logic. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 240–247. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  7. 7.
    Byers, J.W., Luby, M., Mitzenmacher, M.: A Digital Fountain Approach to Asynchronous Reliable Multicast. In: IEEE J-SAC, Special Issue on Network Support for Multicast Communication, vol. 20(8), pp. 1528–1540 (October 2002); earlier version as ICSI Technical Report TR-98-005, and SIGCOMM 1998Google Scholar
  8. 8.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24, 84–88 (1981)CrossRefGoogle Scholar
  9. 9.
    Chaum, D.: Blind Signatures for Untraceable Payments. In: Proceedings of Crypto 1982, pp. 199–203. Plenum Press, New York (1983)Google Scholar
  10. 10.
    Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Communications of the ACM 28(10), 1030–1044 (1981)CrossRefGoogle Scholar
  11. 11.
    Chaum, D.: Designated confirmer signatures. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 86–91. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  12. 12.
    Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  13. 13.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion – Design of a Type III Anonymous Remailer Protocol. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (2003)Google Scholar
  14. 14.
    Dill, D.: Verified,
  15. 15.
    Goldwasser, S., Waisbard, E.: Transformation of Digital Signature Schemes into Designated Confirmer Signature Schemes. In: First Theory of Cryptography Conference (February 04) and MIT TR 329 (March 2003)Google Scholar
  16. 16.
    Jakobsson, M., Stern, J.P., Yung, M.: Scramble all, encrypt small. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 95–111. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Lee, J.H.: The Big Brother Ballot. Operating Systems Review 33(3), 19–25 (1999)CrossRefGoogle Scholar
  18. 18.
    MacKay, D.J.C.: Information Theory, Inference and Learning Algorithms. Cambridge University Press, Cambridge (2003)MATHGoogle Scholar
  19. 19.
    Walters, S., Turnbull, D.: Cabinet Minister in Vote Rigging Enquiry. Mail on Sunday, pp. 1, 8, 9 (May 4, 2003)Google Scholar
  20. 20.
    Rivest, R.L.: All-or-Nothing Encryption and the Package Transform. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 210–218. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  21. 21.
    Rjašková, Z.: Electronic Voting Schemes, at:
  22. 22.
    Schneier, B.: Applied Cryptography. Wiley, Chichester (1995)MATHGoogle Scholar
  23. 23.
    Sen, A.: Collective Choice and Social Welfare, Holden-Day and Oliver and Boyd (1970)Google Scholar
  24. 24.
    Simon, D.R.: Anonymous Communication and Anonymous Cash. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 61–73. Springer, Heidelberg (1996)Google Scholar
  25. 25.
    Syverson, P.F., Goldschlag, D.M., Reed, M.G.: Hiding Routing Information. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 137–150. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  26. 26.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 Protocol. In: The Second USENIX Workshop on Electronic Commerce, Proceedings, November 1996, pp. 29–40. USENIX Press (1996)Google Scholar
  27. 27.
    Wheeler, D.: A Bulk Data Encryption Algorithm. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 127–134. Springer, Heidelberg (1994)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ross Anderson
    • 1
  1. 1.Cambridge UniversityUK

Personalised recommendations