We present the traffic analysis problem and expose the most important protocols, attacks and design issues. Afterwards, we propose directions for further research. As we are mostly interested in efficient and practical Internet based protocols, most of the emphasis is placed on mix based constructions. The presentation is informal in that no complex definitions and proofs are presented, the aim being more to give a thorough introduction than to present deep new insights.

. Consider a polynomial-time prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed by the formula itself. Our protocols support many proof modes, and are as secure as the Discrete Logarithm assumption or the RSA/factoring assumption. 1 Introduction Consider a polynomial-time prover that has committed to a vector of secrets and wants to demonstrate that the secrets satisfy some satisfiable formula from propositional logic, where the atomic propositions are relations that are linear in the secrets. An example formula is \Gamma (5x 1 \Gamma 3x 2 = 5) AND (2x 2 + 3x 3 = 7) \Delta OR \Gamma NOT(x 1 + 4x 3 = 5) \Delta ; where (x 1 ; : : : ; x k ) is the prover's vector of secrets. The prover does not want to reveal any more information about its secrets than what is co...

Abstract. Known practical blind signature schemes whose security against adaptive and parallel attacks can be proven in the random oracle model either need five data exchanges between the signer and the user or are limited to issue only logarithmically many signatures in terms of a security parameter. This paper presents an efficient blind signature scheme that allows a polynomial number of signatures to be securely issued while only three data exchanges are needed. Its security is proven in the random oracle model. As an application, a provably secure solution for double-spender-traceable e-cash is presented. 1

We first provide an overview of the better known network approaches for assuring anonymity and privacy over networks. We then analyze possible attacks to these network based on traffic analysis techniques and discuss their implementation and design issues for network privacy. In the conclusion we discuss the results, indicating research opportunities in this domain.

Abstract—Anonymous communications networks, such as Tor, help to solve the real and important problem of enabling users to communicate privately over the Internet. However, by doing so, they also introduce an entirely new problem: How can service providers on the Internet allow anonymous access while protecting themselves against abuse by misbehaving anonymous users? Recent research efforts have proposed anonymous blacklisting systems (which are sometimes called anonymous revocation systems) to solve this problem. As opposed to revocable anonymity systems, which enable some trusted third party to deanonymize users, anonymous blacklisting systems provide users with a way to authenticate anonymously with a service provider (such as a website), while enabling the service provider to revoke access from any users that misbehave without revealing their identities. Unfortunately, although the various anonymous blacklisting systems are designed to solve similar problems, each operates under different assumptions and no unified security definitions exist. This paper proposes a formal definition for anonymous blacklisting systems, and a set of security and privacy properties that they should possess to protect: 1) users ’ privacy against malicious service providers and third parties (including other malicious users), and 2) service providers against abuse by malicious users. We then propose a set of new performance requirements that should be satisfied to maximize any anonymous blacklisting system’s potential for real-world adoption, and provide formal definitions of some optional features already found in the literature on anonymous blacklisting systems. With especially close attention paid to the category we call Nymble-like systems, we give an overview of the anonymous blacklisting systems found in the literature. I.

Abstract—We present several extensions to the Nymble framework for anonymous blacklisting systems. First, we show how to distribute the Verinym Issuer as a threshold entity. This provides liveness against a threshold Byzantine adversary and protects against denial-of-service attacks. Second, we describe how to revoke a user for a period spanning multiple linkability windows. This gives service providers more flexibility in deciding how long to block individual users. We also point out how our solution enables efficient blacklist transferability among service providers. Third, we augment the Verinym Acquisition Protocol for Tor-aware systems (that utilize IP addresses as a unique identifier) to handle two additional cases: 1) the operator of a Tor exit node wishes to access services protected by the system, and 2) a user’s access to the Verinym Issuer (and the Tor network) is blocked by a firewall. Finally, we revisit the objective blacklisting mechanism used in Jack, and generalize this idea to enable objective blacklisting in other Nymble-like systems. We illustrate the approach by showing how to implement it in Nymble and Nymbler. I.

Abstract. In this work, we propose a new platform to enable service providers, such as web site operators, on the Internet to block past abusive users of anonymizing networks (for example, Tor) from further misbehaviour, without compromising their privacy, and while preserving the privacy of all of the non-abusive users. Our system provides a privacy-preserving analog of IP address banning, and is modeled after the well-known Nymble system [29,47,48]. However, while we solve the same problem as the original Nymble scheme, we eliminate the troubling situation in which users must trust their anonymity in the hands of a small number of trusted third parties. Unlike other approaches that have been considered in the literature [10,44,45,46], we avoid the use of trusted hardware devices or unrealistic assumptions about offline credential issuing authorities who are responsible for ensuring that no user is able to obtain multiple credentials. Thus, our scheme combines the strong privacy guarantees of [10,44,45,46] with a simple infrastructure as in [29,47,48]. To prevent malicious third parties from trivially colluding to reveal the identities of anonymous users we make use of a number of standard zeroknowledge proofs, and to maintain efficiency we introduce a new cryptographic technique which we call verifier efficient restricted blind signatures, or VERBS. Our approach allows users to perform all privacy-sensitive computations locally, and then prove in zero-knowledge that the computations were performed correctly in order to obtain efficiently verifiable signatures on the output — all without revealing neither the result of the computation, nor any potentially identifying information, to the signature issuing authority. Signature verification in our proposed VERBS scheme is 1–2 orders of magnitude more efficient than verification in any known restricted blind signature scheme.

We extend Goldberg’s multi-server information-theoretic private information retrieval (PIR) with a suite of protocols for privacy-preserving e-commerce. Our first protocol adds support for single-payee tiered pricing, wherein users purchase database records without revealing the indices or prices of those records. Tiered pricing lets the seller set prices based on each user’s status within the system; e.g., non-members may pay full price while members may receive a discounted rate. We then extend tiered pricing to support group-based access control lists with record-level granularity; this allows the servers to set access rights based on users ’ price tiers. Next, we show how to do some basic bookkeeping to implement a novel top-K replication strategy that enables the servers to construct bestsellers lists, which facilitate faster retrieval for these most popular records. Finally, we build on our bookkeeping functionality to support multiple payees, thus enabling several sellers to offer their digital goods through a common database while enabling the database servers to determine to what portion of revenues each seller is entitled. Our protocols maintain user anonymity in addition to query privacy; that is, queries do not leak information about the index or price of the record a user purchases, the price tier according to which the user pays, the user’s remaining balance, or even whether the user has ever queried the database before. No other priced PIR or oblivious transfer protocol supports tiered pricing, access control lists, multiple payees, or top-K replication, whereas ours supports all of these features while preserving PIR’s sublinear communication complexity. We have implemented our protocols as an add-on to Percy++, an open source implementation of Goldberg’s PIR scheme. Measurements indicate that our protocols are practical for deployment in real-world e-commerce applications.

We extend the Camenisch-Lysyanskaya anonymous credential system such that selective disclosure of attributes becomes highly efficient. The resulting system significantly improves upon existing approaches, which suffer from a linear complexity in the total number of attributes. This limitation makes them unfit for many practical applications, such as electronic identity cards. Our system can incorporate an arbitrary number of binary and finite-set attributes without significant performance impact. Our approach folds all such attributes in a single attribute base and, thus, boosts the efficiency of all proofs of possession. The core idea is to encode discrete binary and finite-set attribute values as prime numbers. We use the divisibility property for efficient proofs of their presence or absence. We additionally contribute efficient methods for conjunctions and disjunctions. The system builds on the Strong-RSA assumption alone. We demonstrate the applicability and performance improvements of our method in realistic application scenarios, such as, electronic identity cards and complex/structured credentials. Our method has crucial advantages in devices with restricted computational capabilities, such as smartcards and cell phones.

15 We conduct more and more of our daily interactions over electronic media. The EC-funded project 15 16 PRIME (Privacy and Identity Management for Europe) envisions that individuals will be able to interact 16 17 in this information society in a secure and safe way while retaining control of their privacy. The project 17 18 had set out to prove that existing privacy-enhancing technologies allow for the construction of a usercontrolled