By carefully measuring the amount of time required to perform private key operations, attackers may be able to find fixed Diffie-Hellman exponents, factor RSA keys, and break other cryptosystems. Against a vulnerable system, the attack is computationally inexpensive and often requires only known ciphertext. Actual systems are potentially at risk, including cryptographic tokens, network-based cryptosystems, and other applications where attackers can make reasonably accurate timing measurements. Techniques for preventing the attack for RSA and Diffie-Hellman are presented. Some cryptosystems will need to be revised to protect against the attack, and new protocols and algorithms may need to incorporate measures to prevent timing attacks.

Abstract. A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing allor-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.

this article, is such an online CA

With the growth and acceptance of the Internet, there has been increased interest in maintaining anonymity in the network. This paper presents a new protocol for initiator anonymity called Hordes, which uses forwarding mechanisms similar to those used in previous protocols for sending data, but is the first protocol to make use of the anonymity inherent in multicast routing to receive data. We show this results in shorter transmission latencies and requires less work of the protocol participants, in terms of the messages processed. We also present a comparison of the security and anonymity of Hordes with previous protocols, using the first quantitative definition of anonymity and unlinkability. Our analysis shows that Hordes provides anonymity in a degree similar to that of Crowds and Onion Routing. We find that Onion Routing best maintains anonymity of the three protocols examined, but also that Hordes has numerous performance advantages.

The increased use of the Internet for everyday activities is bringing new threats to personal privacy. This paper gives an overview of existing and potential privacyenhancing technologies for the Internet, as well as motivation and challenges for future work in this field.

Electronic cash is a subject of great economic, political, and research importance. With advances in computer networks, in processor speed, and in databases and with advances in note counterfeiting technology and with both individuals' and businesses' desire for remote and more convenient financial transactions, some forms of electronic cash are likely to become widespread within 5 to 10 years. While unconditionally anonymous electronic cash systems have been proposed in the literature, governmental and financial institutions are unwilling to back a completely anonymous system. Instead, they have proposed systems with little or no protection for the users' privacy. Their reasons for opposing complete untraceability have to do with the containment of user fraud and the desire to restrict the new kinds of crime that unrestricted remotely withdrawable and spendable electronic cash could facilitate. We introduce the first electronic cash systems which incorporate trustee-based tracing but...

This document is one of three, superseding the draft filed under the name draft-ietf-spki-cert-theory-00.txt. SPKI structure definitions are to be found in draft-ietf-spki-cert-structure-*.txt and examples of certificate uses are to be found in draft-ietf-spki-certexamples-*.txt. Distribution of this document is unlimited. Comments should be sent to the SPKI (Simple Public Key Infrastructure) Working Group mailing list <spki@c2.net> or to the authors. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months. Internet-Drafts may be updated, replaced, or obsoleted by other documents at any time. It is not appropriate to use Internet-Drafts as reference material or to cite them other than as a ‘‘working draft’ ’ or ‘‘work in progress.’’ Ellison, et al. [Page 1] INTERNET-DRAFT SPKI Certificate Theory 10 March 1998 To learn the current status of any Internet-Draft, please check the 1id-abstracts.txt listing contained in the Internet-Drafts Shadow

Recently the bilinear pairing such as Weil pairing or Tate pairing on elliptic curves and hyperelliptic curves have been found various applications in cryptography. Several identity-based (simply ID-based) cryptosystems using bilinear pairings of elliptic curves or hyperelliptic curves were presented. Blind signature and ring signature are very useful to provide the user's anonymity and the signer's privacy. They are playing an important role in building e-commerce. In this paper, we firstly propose an ID-based blind signature scheme and an ID-based ring signature scheme, both of which are based on the bilinear pairings. Also we analyze their security and e#ciency.

Abstract. Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely e ective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad{hoc and can easily be rendered ine ective. A scienti c approach is to create a model for the physical characteristics of the device, and then design implementations provably secure in that model, i.e, they resist generic attacks with an a priori bound on the number of experiments. We propose an abstract model which approximates power consumption in most devices and in particular small single{chip devices. Using this, we propose a generic technique to create provably resistant implementations for devices where the power model has reasonable properties, and a source of randomness exists. We prove alower bound on the number of experiments required to mount statistical attacks on devices whose physical characteristics satisfy reasonable properties. 1

Abstract. Recently, there has been an interest in creating practical anonymous electronic cash with the ability to conduct payments of ex-act amounts, as is typically the practice in physical payment systems. The most general solution for such payments is to allow electronic coins to be divisible (e.g., each coin can be spent incrementally but total pur-chases are limited to the monetary value of the coin). In Crypto’95, T. Okamoto presented the first efficient divisible, anonymous (but linkable) off-line e-cash scheme requiring only O(1og n/) computations for each of the withdrawal, payment and deposit procedures, where A / = (total coin value) / (smallest divisible unit) is the divisibility precision. However, the zero-knowledge protocol used for the creation of a blinded unlinkable coin by Okamoto is quite inefficient and is used only at set-up to make the system efficient. Incorporating “unlinkable ” blinding only in the set-up, however, limits the level of anonymity offered by allowing the linking of all coins withdrawn-rather than a more desirable anonymity which allows only linking of subcoins of a withdrawn coin. In this paper we make a further step towards practicality of complete (i.e., divisible) anonymous e-cash by presenting a solution where all pre cedures (set-up, withdrawal, payment and deposit) are bounded by tens of exponentiations; in particular we improve on Okamoto’s result by 3 orders of magnitude, while the size of the coin remains about 300 Bytes, based on a 512 bit modulus. Moreover, the protocols are compatible with tracing methods used for “fair ” or “revokable ” anonymous cash.