Advances in Information and Computer

Security 9th International Workshop on

Security IWSEC 2014 Hirosaki Japan
August 27 29 2014 Proceedings 1st
Edition Maki Yoshida
Visit to download the full and correct content document:
https://textbookfull.com/product/advances-in-information-and-computer-security-9th-in
ternational-workshop-on-security-iwsec-2014-hirosaki-japan-august-27-29-2014-proc
eedings-1st-edition-maki-yoshida/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Risks and Security of Internet and Systems 9th

International Conference CRiSIS 2014 Trento Italy
August 27 29 2014 Revised Selected Papers 1st Edition
Javier Lopez
https://textbookfull.com/product/risks-and-security-of-internet-
and-systems-9th-international-conference-crisis-2014-trento-
italy-august-27-29-2014-revised-selected-papers-1st-edition-
javier-lopez/

Mobile Web Information Systems 11th International

Conference MobiWIS 2014 Barcelona Spain August 27 29
2014 Proceedings 1st Edition Irfan Awan

https://textbookfull.com/product/mobile-web-information-
systems-11th-international-conference-mobiwis-2014-barcelona-
spain-august-27-29-2014-proceedings-1st-edition-irfan-awan/

Intelligent Virtual Agents 14th International

Conference IVA 2014 Boston MA USA August 27 29 2014
Proceedings 1st Edition Timothy Bickmore

https://textbookfull.com/product/intelligent-virtual-agents-14th-
international-conference-iva-2014-boston-ma-usa-
august-27-29-2014-proceedings-1st-edition-timothy-bickmore/

Security and Cryptography for Networks 9th

International Conference SCN 2014 Amalfi Italy
September 3 5 2014 Proceedings 1st Edition Michel
Abdalla
https://textbookfull.com/product/security-and-cryptography-for-
networks-9th-international-conference-scn-2014-amalfi-italy-
september-3-5-2014-proceedings-1st-edition-michel-abdalla/
Computer Safety Reliability and Security 33rd
International Conference SAFECOMP 2014 Florence Italy
September 10 12 2014 Proceedings 1st Edition Andrea
Bondavalli
https://textbookfull.com/product/computer-safety-reliability-and-
security-33rd-international-conference-safecomp-2014-florence-
italy-september-10-12-2014-proceedings-1st-edition-andrea-
bondavalli/

Conceptual Modeling 33rd International Conference ER

2014 Atlanta GA USA October 27 29 2014 Proceedings 1st
Edition Eric Yu

https://textbookfull.com/product/conceptual-modeling-33rd-
international-conference-er-2014-atlanta-ga-usa-
october-27-29-2014-proceedings-1st-edition-eric-yu/

Developments in Language Theory 18th International

Conference DLT 2014 Ekaterinburg Russia August 26 29
2014 Proceedings 1st Edition Arseny M. Shur

https://textbookfull.com/product/developments-in-language-
theory-18th-international-conference-dlt-2014-ekaterinburg-
russia-august-26-29-2014-proceedings-1st-edition-arseny-m-shur/

Augmented Environments for Computer Assisted

Interventions 9th International Workshop AE CAI 2014
Held in Conjunction with MICCAI 2014 Boston MA USA
September 14 2014 Proceedings 1st Edition Cristian A.
Linte
https://textbookfull.com/product/augmented-environments-for-
computer-assisted-interventions-9th-international-workshop-ae-
cai-2014-held-in-conjunction-with-miccai-2014-boston-ma-usa-
september-14-2014-proceedings-1st-edition-cristian/

Search Based Software Engineering 6th International

Symposium SSBSE 2014 Fortaleza Brazil August 26 29 2014
Proceedings 1st Edition Claire Le Goues

https://textbookfull.com/product/search-based-software-
engineering-6th-international-symposium-ssbse-2014-fortaleza-
brazil-august-26-29-2014-proceedings-1st-edition-claire-le-goues/
 Maki Yoshida
Koichi Mouri (Eds.)
LNCS 8639

Advances in Information
and Computer Security
9th International Workshop on Security, IWSEC 2014
Hirosaki, Japan, August 27–29, 2014
Proceedings

123
Lecture Notes in Computer Science 8639
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Maki Yoshida Koichi Mouri (Eds.)

Advances in Information
and Computer Security
9th International Workshop on Security, IWSEC 2014
Hirosaki, Japan, August 27-29, 2014
Proceedings

13
Volume Editors
Maki Yoshida
National Institute of Information and Communications Technology (NICT)
Network Security Research Institute
4-2-1 Nukui-Kitamachi, Koganei
Tokyo 184-8795, Japan
E-mail: maki-yos@nict.go.jp
Koichi Mouri
Ritsumeikan University
College of Information Science and Engineering
1-1-1 Nojihigashi, Kusatsu
Shiga 525-8577, Japan
E-mail: mouri@cs.ritsumei.ac.jp

ISSN 0302-9743 e-ISSN 1611-3349

ISBN 978-3-319-09842-5 e-ISBN 978-3-319-09843-2
DOI 10.1007/978-3-319-09843-2
Springer Cham Heidelberg New York Dordrecht London

Library of Congress Control Number: 2014945125

LNCS Sublibrary: SL 4 – Security and Cryptology

© Springer International Publishing Switzerland 2014
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection
with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and
executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication
or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location,
in ist current version, and permission for use must always be obtained from Springer. Permissions for use
may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution
under the respective Copyright Law.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
 Preface

The 9th International Workshop on Security (IWSEC 2014) was held at Hakkoda
Hall, Hirosaki University, in Hirosaki, Japan, during August 27–29, 2014. The
workshop was co-organized by ISEC in ESS of IEICE (Technical Committee on
Information Security in Engineering Sciences Society of the Institute of Elec-
tronics, Information and Communication Engineers) and CSEC of IPSJ (Spe-
cial Interest Group on Computer Security of Information Processing Society of
Japan).
This year, the workshop received 55 submissions. Finally, 13 papers were
accepted as regular papers, and 8 papers were accepted as short papers. Each
submission was anonymously reviewed by at least three reviewers, and these
proceedings contain the revised versions of the accepted papers. In addition to
the presentations of the papers, the workshop also featured a poster session
and two keynote speeches. The keynote speeches were given by Reihaneh (Rei)
Safavi-Naini, and by Yasuhiko Taniwaki.
The best student paper award was given to “Cheater Identifiable Secret Shar-
ing Schemes Via Multi-Receiver Authentication” by Rui Xu, Kirill Morozov and
Tsuyoshi Takagi.
A number of people contributed to the success of IWSEC 2014. We would like
to thank the authors for submitting their papers to the workshop. The selection
of the papers was a challenging and dedicated task, and we are deeply grateful
to the members of Program Committee and the external reviewers for their in-
depth reviews and detailed discussions. We are also grateful to Andrei Voronkov
for developing EasyChair, which was used for the paper submission, reviews,
discussions, and preparation of these proceedings.
Last but not least, we would like to thank the general co-chairs, Kouichi
Sakurai and Masakatsu Nishigaki, for leading the Local Organizing Committee,
and we also would like to thank the members of the Local Organizing Committee
for their efforts to ensure the smooth running of the workshop.

June 2014 Maki Yoshida

Koichi Mouri
 IWSEC 2014
9th International Workshop on Security

Hirosaki, Japan, August 27–29, 2014

Co-organized by
ISEC in ESS of IEICE
(Technical Committee on Information Security in Engineering Sciences Society
of the Institute of Electronics, Information and Communication Engineers)
and
CSEC of IPSJ
(Special Interest Group on Computer Security of Information Processing
Society of Japan)

General Co-chairs
Kouichi Sakurai Kyushu University, Japan
Masakatsu Nishigaki Shizuoka University, Japan

Advisory Committee
Hideki Imai Chuo University, Japan
Kwangjo Kim Korea Advanced Institute of Science and
Technology, South Korea
Günter Müeller University of Freiburg, Germany
Yuko Murayama Iwate Prefectural University, Japan
Koji Nakao National Institute of Information and
Communications Technology, Japan
Eiji Okamoto University of Tsukuba, Japan
C. Pandu Rangan Indian Institute of Technology, India
Ryoichi Sasaki Tokyo Denki University, Japan

Program Co-chairs
Maki Yoshida National Institute of Information and
Communications Technology, Japan
Koichi Mouri Ritsumeikan University, Japan

Poster Chair
Yuji Suga Internet Initiative Japan Inc., Japan
VIII IWSEC 2014

Local Organizing Committee

Yuki Ashino NEC Corporation, Japan
Keita Emura National Institute of Information and
Communications Technology, Japan
Yu-ichi Hayashi Tohoku University, Japan
Masaki Inamura Tokyo Denki University, Japan
Masaki Kamizono SecureBrain Corporation, Japan
Akira Kanaoka Toho University, Japan
Yuichi Komano Toshiba Corporation, Japan
Takashi Matsunaka KDDI R&D Laboratories Inc., Japan
Tomoyuki Nagase Hirosaki University, Japan
Yukiyasu Tsunoo NEC Corporation, Japan

Program Committee
Rafael Accorsi University of Freiburg, Germany
Toru Akishita Sony Corporation, Japan
Claudio Agostino Ardagna Università degli Studi di Milano, Italy
Nuttapong Attrapadung AIST, Japan
Reza Azarderakhsh Rochester Institute of Technology, USA
Sabrina De Capitani
di Vimercati Università degli Studi di Milano, Italy
Isao Echizen National Institute of Informatics, Japan
Sebastian Faust EPFL, Switzerland
Eiichiro Fujisaki NTT, Japan
David Galindo LORIA, France
Dieter Gollmann Hamburg University of Technology, Germany
Goichiro Hanaoka AIST, Japan
Yoshikazu Hanatani Toshiba Corporation, Japan
Swee-Huay Heng Multimedia University, Malaysia
Takato Hirano Mitsubishi Electric Corporation, Japan
Mitsugu Iwamoto The University of Electro-Communications,
Japan
Tetsu Iwata Nagoya University, Japan
Akinori Kawachi Tokyo Institute of Technology, Japan
Angelos Keromytis Columbia University, USA
Hiroaki Kikuchi Meiji University, Japan
Hyung Chan Kim ETRI, South Korea
Takeshi Koshiba Saitama University, Japan
Kenichi Kourai Kyushu Institute of Technology, Japan
Noboru Kunihiro The University of Tokyo, Japan
Kwok-Yan Lam National University of Singapore, Singapore
Kanta Matsuura The University of Tokyo, Japan
Ken Naganuma Hitachi, Japan
 IWSEC 2014 IX

Takashi Nishide University of Tsukuba, Japan

Wakaha Ogata Tokyo Institute of Technology, Japan
Takeshi Okamoto Tsukuba University of Technology, Japan
Yoshihiro Oyama The University of Electro-Communications,
Japan
Thomas Peyrin Nanyang Technological University, Singapore
Axel Poschmann NXP Semiconductors, Germany
Bart Preneel KU Leuven and iMinds, Belgium
Kai Rannenberg Goethe University Frankfurt, Germany
Shoichi Saito Nagoya Institute of Technology, Japan
Kazuo Sakiyama The University of Electro-Communications,
Japan
Yu Sasaki NTT, Japan
Patrick Schaumont Virginia Tech, USA
Jae Hong Seo Myongji University, South Korea
Masahito Shiba Ryukoku University, Japan
Francesco Sica Nazarbayev University, Kazakhstan
Yuji Suga Internet Initiative Japan Inc., Japan
Takeshi Sugawara Mitsubishi Electric Corporation, Japan
Tsuyoshi Takagi Kyushu University, Japan
Keisuke Tanaka Tokyo Institute of Technology, Japan
Masayuki Terada NTT Docomo, Japan
Satoru Tezuka Tokyo University of Technology, Japan
Damien Vergnaud ENS, France
Jian Weng Jinan University, China
Sven Wohlgemuth TU Darmstadt/CASED, Germany
Hiroshi Yamada Tokyo University of Agriculture and
Technology, Japan
Dai Yamamoto Fujitsu Laboratories, Japan
Toshihiro Yamauchi Okayama University, Japan
Chung-Huang Yang National Kaohsiung Normal University, Taiwan
Kazuki Yoneyama NTT, Japan
Katsunari Yoshioka Yokohama National University, Japan
Hiroshi Yoshiura The University of Electro-Communications,
Japan
Rui Zhang Chinese Academy of Sciences, China

External Reviewers
Hiroshi Aono Harunaga Hiwatari
George Argyros Masatsugu Ichino
Rouzbeh Behnia Takanori Isobe
Jinyong Chang Kouichi Itoh
Steven Galbraith Masami Izumi
Mitsuhiro Hattori Satoshi Kai
X IWSEC 2014

Yutaka Kawai Sujoy Roy

Yoshihiro Koseki Minoru Saeki
Xiao Lan Yusuke Sakai
Peeter Laud Michael Scott
Hyung Tae Lee Naoyuki Shinohara
Zhenhua Liu Mitsuru Shiozaki
Hui Ma Marc Stöttinger
Atefeh Mashatan Junko Takahashi
Takahiro Matsuda Takao Takenouchi
Shin’Ichiro Matsuo Eiji Takimoto
Bart Mennink Syh-Yuan Tan
Kirill Morozov Toshiaki Tanaka
Pratyay Mukherjee Tadanori Teruya
Manh Ha Nguyen Welderufael Tesfay
Hoang-Quoc Nguyen-Son Vincent Verneuil
Vasilis Pappas Fatbardh Veseli
Roel Peeters Lars Wolos
Theofilos Petsios Naoto Yanai
Le Trieu Phong Kenji Yasunaga
Michalis Polychronakis Ahmed Yesuf
Sebastien Riou Youwen Zhu
 Table of Contents

System Security
Privacy-Friendly Access Control Based on Personal Attributes . . . . . . . . . 1
Jan Hajny, Lukas Malina, and Ondrej Tethal
Are You Threatening My Hazards? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Marina Krotofil and Jason Larsen
Complicating Process Identification by Replacing Process Information
for Attack Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Masaya Sato and Toshihiro Yamauchi
Kernel Memory Protection by an Insertable Hypervisor Which Has VM
Introspection and Stealth Breakpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Kuniyasu Suzaki, Toshiki Yagi, Kazukuni Kobara, and
Toshiaki Ishiyama
Key Management for Onion Routing in a True Peer to Peer Setting
(Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Paolo Palmieri and Johan Pouwelse

Threshold Cryptography
Cheater Identifiable Secret Sharing Schemes via Multi-Receiver
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Rui Xu, Kirill Morozov, and Tsuyoshi Takagi
Cheating Detectable Secret Sharing Schemes Supporting an Arbitrary
Finite Field (Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Satoshi Obana and Kazuya Tsuchida
Secure Multi-Party Computation for Elliptic Curves (Short Paper) . . . . . 98
Koutarou Suzuki and Kazuki Yoneyama
More Constructions of Re-splittable Threshold Public Key
Encryption (Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Satsuya Ohata, Takahiro Matsuda, Goichiro Hanaoka, and
Kanta Matsuura

Hardware Security
How to Effectively Decrease the Resource Requirement in Template
Attack? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Hailong Zhang
XII Table of Contents

Deterministic Hard Fault Attack on Trivium (Short Paper) . . . . . . . . . . . . 134

Avijit Dutta and Goutam Paul
DPA Resilience of Rotation-Symmetric S-boxes . . . . . . . . . . . . . . . . . . . . . . 146
Muhammet Ali Evci and Selçuk Kavut
A Technique Using PUFs for Protecting Circuit Layout Designs against
Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and
Naoya Torii
Hydra: An Energy-Efficient Programmable Cryptographic
Coprocessor Supporting Elliptic-Curve Pairings over Fields of Large
Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Yun-An Chang, Wei-Chih Hong, Ming-Chun Hsiao, Bo-Yin Yang,
An-Yeu Wu, and Chen-Mou Cheng

Foundation
On the Security Proof of an Authentication Protocol from
Eurocrypt 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Kosei Endo and Noboru Kunihiro
Improved Linear Cryptanalysis of Reduced-Round MIBS . . . . . . . . . . . . . . 204
Aslı Bay, Jialin Huang, and Serge Vaudenay
Characterization of EME with Linear Mixing . . . . . . . . . . . . . . . . . . . . . . . . 221
Nilanjan Datta and Mridul Nandi
Exponentiation Inversion Problem Reduced from Fixed Argument
Pairing Inversion on Twistable Ate Pairing and Its Difficulty
(Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Shoichi Akagi and Yasuyuki Nogami

Encryption
Related Key Secure PKE from Hash Proof Systems . . . . . . . . . . . . . . . . . . 250
Dingding Jia, Bao Li, Xianhui Lu, and Qixiang Mei
Towards Symmetric Functional Encryption for Regular Languages with
Predicate Privacy (Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Fu-Kuo Tseng, Rong-Jaye Chen, and Bao-Shuh Paul Lin
Framework for Efficient Search and Statistics Computation on
Encrypted Cloud Data (Short Paper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Sanjit Chatterjee and Sayantan Mukherjee

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

 Privacy-Friendly Access Control
Based on Personal Attributes

Jan Hajny1 , Lukas Malina1 , and Ondrej Tethal2

1
Cryptology Research Group
Brno University of Technology
Czech Republic
{hajny,malina}@feec.vutbr.cz
2
OKsystem
Czech Republic
tethal@oksystem.cz

Abstract. In attribute-based access control systems, the attribute own-

ership instead of identity is verified before an access to private services
or areas is granted. This approach allows more privacy-friendly verifi-
cation of users since only individual attributes (such as age, citizenship
or ticket ownership) are disclosed to service providers, not the complete
identity. Unfortunately, there are very few cryptographic systems allow-
ing practical attribute-based access control system implementations. The
lack of cryptographic schemes is caused by the fact that the good bal-
ance between privacy and accountability is very difficult to achieve. In
this paper, the first implementation of the HM12 attribute-based scheme
and a practical choice of its security parameters are presented. The cryp-
tographic scheme is implemented on off-the-shelf hardware, namely on
MultOS programmable smart-cards and, experimentally, on Android de-
vices. Finally, the results from our pilot deployment of the access-control
system and the obtained user feedback are presented.

Keywords: Access Control, Anonymity, Smart-Cards, Privacy, Attri-

butes, Security, Cryptography.

1 Introduction
The attribute-based access control is usually realized by using cryptographic
schemes called anonymous attribute-based credentials. The cryptographic foun-
dations for attribute-based credentials (ABCs) started to appear in the late
1990s. Since then, the technologies now known as U-Prove [27] or Idemix [10]
have been developed. Their purpose is to provide more privacy and digital iden-
tity protection for the process of electronic user verification. In the first place,
the cryptographic schemes are designed to provide users with the ability to give
anonymous proofs of the ownership of personal attributes, such as age, group
membership or citizenship. With anonymous proofs, the digital identity of In-
ternet users, as well as real identity of citizens with electronic ID cards (eIDs),
would be better protected. Furthermore, unauthorized tracing of people and be-
havioral profiling would be much more difficult due to advanced features such as

M. Yoshida and K. Mouri (Eds.): IWSEC 2014, LNCS 8639, pp. 1–16, 2014.

c Springer International Publishing Switzerland 2014
2 J. Hajny, L. Malina, and O. Tethal

the unlinkability of verification sessions or untraceability. But despite the cryp-

tographic technologies having been known for over a decade, there are only very
few practical implementations of these technologies.
The first reason why the cryptographic ABCs are so hard to implement is their
very high complexity. In most schemes, the advanced zero-knowledge protocols
[15], or their lightweight variant Σ-protocols [14], are employed. These protocols
involve computationally demanding operations such as modular multiplication
and exponentiation with big numbers. While these operations are fast enough
on computers, they are currently very difficult to run on highly resource-limited
devices such as smart-cards. Unfortunately, smart-cards are the most preferred
devices for user verification as they can be used in mass transportation, building
access-control systems or as national eIDs.
The second reason why there are so few practical implementations of ABCs
might be the missing important features. Although the research into privacy-
enhancing ABCs has been running since the late 1990s, some features are still
very difficult to achieve. In particular, it is very difficult to provide practical
revocation of users if all necessary privacy protection features are supported. In
ABC systems, where all user sessions are anonymous, unlinkable and untrace-
able, it is very difficult to exclude one particular user from the system once they
have been let in. It is even more difficult to do so if all users use an offline device
such as the smart-card, where no information can be updated after the card has
been issued.
In this paper, we present the first implementation and the practical pilot
deployment of the HM12 scheme, which was fully cryptographically described
at the CARDIS conference in 2012 [20]. In contrast to similar implementations
of related schemes like U-Prove or Idemix (as shown in the Related Work sec-
tion), we implement all phases necessary for a practical deployment, namely
the attribute issuance phase, the anonymous attribute verification phase and
the offline revocation phase. All protocols involving a user were implemented on
programmable smart-cards with the MultOS ML-3 operating system. The proto-
cols were parameterized to run in a reasonable, practical time and we succeeded
in supporting all privacy-enhancing features together with offline revocation fea-
tures.

1.1 Related Work

First, we briefly analyze the existing schemes from the cryptography perspective.
There are two main cryptographic designs of ABCs available, the U-Prove by
Stefan Brands and Microsoft [27] and the Idemix by IBM [10]. Both schemes
allow users to anonymously prove their attributes to electronic verifiers. Both
schemes support the untraceability feature where the issuer of attributes cannot
trace users while they use their credentials to prove their attributes. The U-Prove
has the drawback of lacking unlinkability of verification sessions. In practice, the
verifier (or any eavesdropper) can trace or even deanonymize the user by linking
all the verification sessions to a single profile. This is possible due to a unique
user ID which is present in all user’s transactions. The Idemix has the drawback
 Privacy-Friendly AC 3

of unresolved revocation process. The users can be revoked either by the expiry of
their credentials after their life time is out [11] or by a blacklisting or whitelisting
method based on accumulators [23]. The latter method is impossible when offline
devices are used, the first method if fast revocation is required. Both U-Prove
and Idemix were originally designed for computers but can be implemented on
smart-cards too. The HM12 scheme [20] is a scheme initially designed for of-
fline smart-cards. The scheme supports all privacy-enhancing features such as
anonymous attribute proofs, the untraceability of users, the unlinkability of ver-
ification sessions. But in addition, HM12 includes a practical offline revocation
method. Using the method in HM12, the users can be revoked immediately with-
out revealing their identity and without the need to contact any other remaining
users. Thus, the revocation in HM12 is available even if completely offline de-
vices like smart-cards are used for user verification. This type of revocation is
called verifier-local revocation (VLR) [8]. The drawback of the HM12 scheme
is that it relies on the tamper-resistance of the smart-card to prevent collusion
attacks. Thus, the scheme better suits scenarios where the benefits of creating a
new fake user are not higher than the effort needed to break the protection of a
set of modern smart-cards.
With all the above ABC schemes having stronger and weaker aspects and
fitting different implementation scenarios, it is impossible to choose one that fits
all situations. Thus, we analyze existing implementations of all schemes.
We start with the U-Prove scheme which was first published by Stephan
Brands and Credentica in 2000 [9] and implemented on PC and phones in Java
in 2007 [1]. After acquisition by Microsoft, the protocol specification, test vectors
and SDK [27] were released. The implementation on JavaCard programmable
smart-cards was described in 2009 [28]. Using this implementation, the time
necessary for attribute ownership verification exceeds 5 s for 2 attributes and 9 s
for 4 attributes. The implementation on MultOS programmable smart-cards was
described in 2012 [25]. In this implementation, the MultOS device is the preferred
user device for all scheme protocols, in contrast to Microsoft’s implementation
where PC is preferred. On MultOS, the user is able to prove their attribute in
less than 1 s.
The first version of the IBM’s Idemix scheme was first described in 2002
[13], based on foundations published in [24]. The first implementations used the
JavaCard smart-card platform. The implementation from 2007 [16] needs around
10 s to prove attribute ownership and the improved implementation from 2009
[7] needs ca 7.4 s. Considering the usage of ABC in everyday situations for ac-
cess control or mass public transportation, a proof generation time of over 5 s is
impractical. Thus, Idemix was also implemented on the MultOS smart-card plat-
form, with ca 1.5 s needed to generate the attribute proof. The main weakness of
all existing implementations of Idemix is that they do not include a revocation
mechanism that would be able to exclude invalid cards (users) from the systems.
The inclusion of such a revocation mechanism increases the system complexity
very significantly. Therefore, the above shown times of attribute proofs might be
misleading since any system lacking the revocation feature would be useless in
4 J. Hajny, L. Malina, and O. Tethal

practice. Recently, pilot projects for Idemix were launched. The IRMA (I Reveal
My Attributes) project pilot [3] started in December 2013 and two ABC4Trust
pilot deployments have been running since 2013 [6,4], with the expected evalu-
ation at the end of 2014.
The HM12 scheme published in 2012 [20] has not been fully implemented
until now. The implementation of the primitives [20,21] indicated that the time
of proof generation can be around 2 s, including revocation mechanisms. The
full implementation on MultOS ML-3 cards, performance and the evaluation of
pilot deployment results are presented in this paper.

1.2 Our Contribution

We present the first implementation of an ABC scheme which supports all
privacy-enhancing features, has practical execution times on offline smart-cards
and, most importantly, provides functional VLR revocation mechanisms. We de-
scribe protocols of the scheme, describe our choice of security parameters, show
our implementation and present the resulting system. We describe the results of
our pilot deployment in which the scheme was used to control students’ access
to university laboratories during standard semester operation.

1.3 Notation
For various proofs of knowledge or representation, we use the efficient notation
introduced by Camenisch and Stadler [12]. The protocol for proving the knowl-
edge of discrete logarithm of c with respect to g is denoted as P K{α : c = g α }.
The proof of discrete log equivalence with respect to different generators g1 , g2
is denoted as P K{α : c1 = g1α ∧ c2 = g2α }. A signature by a traditional PKI
(e.g., RSA) scheme of a user U on some data is denoted as SigU (data). The
scheme selection, key certification, key distribution, etc., are out of the scope of
this paper. The symbol “:” means “such that”, “|” means “divides”, “|x|” is the
bitlength of x and “x ∈R {0, 1}l” is a randomly chosen bitstring of maximum
length l.

2 Scheme Description
The HM12 scheme [20] allows a User to apply for an attribute at the Issuer.
The attribute can represent any personal information, the possession of a driving
license, for instance. If the Issuer agrees with the attribute issuance, they sign
User’s application for the attribute. Then, the user can activate their attribute at
the Revocation Referee. The Revocation Referee is a privacy protection guarantee
who decides about revocation or deanonymization in cases where system rules
are violated by the User. The attribute is activated to the User by granting an
attribute key. After the attribute issuance is completed, a User can anonymously
prove their attribute ownership to Verifiers. All proofs will remain anonymous,
untraceable and unlinkable if the user adheres to the rules. In the case of rule
 Privacy-Friendly AC 5

violation, the attribute ownership proof can be de-anonymized, but only by a

joint procedure done by the Issuer and Revocation Referee. The roles in the
HM12 scheme are the following:

– Issuer (I): validates the applications for attributes, issues attributes to Users.
– User (U): gets issued an attribute from Issuers and anonymously proves its
possession to Verifiers.
– Verifier (V): receives the attribute ownership proof generated by the User,
verifies its validity. In the case of disputes, initiates the revocation or de-
anonymization process.
– Revocation Referee (RR): activates the attributes to Users, decides about
the legitimacy of revocation or deanonymization requests by Verifiers.

The interaction among entities is described by the protocols. They are the
Setup protocol, IssueAtt protocol, ProveAtt protocol and Revoke protocol, as
shown in Figure 1.

Revocation
Issuer
KI Referee
KRR
Setup Revoke Setup

Revoke
Is

tt
su

eA
eA

su
tt

Is

User
ProveAtt Verifier
KU, KS

Fig. 1. Architecture of HM12 Scheme

A full cryptographic description of the protocols is presented in the original

paper [20]. The purpose of protocols is the following:

– (params, KRR , KI ) ←Setup(k, l, m): this algorithm is run by RR and Issuer.

Setup inputs security parameters (k, l, m) and outputs system parameters
params. RR’s private output of the protocol is the KRR key and I’s private
output is the KI key.
– KU ←IssueAtt(params, KI , KRR ): the protocol outputs User’s master key
KU . The master key is needed by the User to create the attribute ownership
proof in the ProveAtt protocol. By using advanced cryptographic techniques,
6 J. Hajny, L. Malina, and O. Tethal

the KU is generated in such a way that only User’s smart-card learns it

although both RR and Issuer must contribute data and collaborate on KU
creation.
– proof ←ProveAtt(params, KU ): using public system parameters and the
KU generated by the IssueAtt protocol, it is possible to build an attribute
proof using the ProveAtt. For each proof , a unique session key KS is gen-
erated by the User. The proof is anonymized and randomized by KS . The
protocol runs between the Verifier and User’s smart-card. By ProveAtt, the
User proves their ownership of attributes.
– rev ←Revoke(params, proof, KRR , KI ): in special cases (e.g., smart-card
loss, theft or damage), the issued attributes can be revoked or the mali-
cious Users can even be de-anonymized. In that case, the proof transcript
is sent by the Verifier to the RR with adequate evidence for revocation.
RR evaluates the evidence and opens the proof transcript using their KRR .
Depending on the type of revocation chosen by RR, the RR can either black-
list the attribute by publishing anonymous revocation information rev on a
public blacklist or provide the Issuer with information necessary for User
identification. The Issuer is then able to identify and charge the malicious
User.

3 Scheme Implementation
This section contains information regarding our choice of security parameters,
development environment and implementation aspects, and the description of
server and user applications.

3.1 Choice of Security Parameters

The scheme contains three key security parameters k, l, m. They are the inputs to
the Setup protocol and significantly affect the generation of all system variables.
Their meaning and the values, we use as follows:
– k - is the bitlength of the output of the hash function used in the Fiat-Shamir
heuristics [17] used in the non-interactive zero-knowledge proofs. We used
the SHA-1 function which is available on MultOS smart-card, thus k = 160.
– l - is closely related to the length of the user key. The user key consists of
two parts, of length l and 2l. Since keys represent the discrete logarithm in
groups where discrete logarithm is hard to compute, we adhered to the NIST
recommendation for minimal 160 b keys and chose l = 80 for a faster variant
and l = 160 for a slower variant of our implementation.
– m - is the verification error parameter. We chose m = 80. In the non-
interactive zero-knowledge protocols, the probability of error is then 2−80 ,
see [5] for details.
The HM12 scheme is based on two multiplicative groups where discrete log-
arithm is hard to compute. Namely, the DSA group modulo prime p [18] and
 Privacy-Friendly AC 7

the Okamoto-Uchiyama group modulo composite n = r2 s [26] are used. Due to

the computational restriction of the smart-card, we chose 1024 bit and 1392 bit
groups for our pilot implementation. Our choice of cryptographic parameters for
two versions of the implementations are summarized in Table 1.

Table 1. Specification of cryptographic parameters used in the implementation

Parameter Faster Variant Slower Variant

|p| 1024 1392
|n| 1024 1392
k 160 160
l 80 160
m 80 80

3.2 Architecture
The implementation environment contains servers, terminals, smart-cards and
mobile phones, see Figure 2.

Fig. 2. Implementation Environment of Proposed Scheme

The Revocation Referee, Issuer and Verifier entities were implemented as

server applications. The Java SE environment [19] and the Spring framework
[22] were used. For data storage, the SQLite database was selected. The commu-
nication is based on the Java Remote Method Invocation (RMI). Although the
8 J. Hajny, L. Malina, and O. Tethal

servers run as services most of the time, a graphic user interface is needed for
a new User registration and for their deletion. The Swing technology is used to
provide the graphic interface. Both IssueAtt and ProveAtt run on the smart-
card on the User’s side. Remote terminals with smart-card readers are used to
forward the communication between User’s smart-card and Issuer’s and RR’s
servers. The communication with smart-card readers is provided by the Java
Smart Card I/O API. Apache Maven [2] is used for building the software. The
classes for cryptographic keys are shown in Figure 3, the designation respects
the notation used in the original paper [20].

Fig. 3. Diagram of Cryptographic Key Classes

3.3 Smart-Card Application

The IssueAtt and the ProveAtt protocols run on the smart-card. This allows
the user to securely generate and use their cryptographic keys without leaving
the hardware-protected storage. On the other hand, the protocols can use only
very limited hardware resources shown in the specification of the smart-card in
Table 2, in particular a very low RAM. The original IssueAtt and ProveAtt
had to be split into multiple parts, the specification of both protocols is in the
Appendix A.

Application Life Cycle. The life cycle of the application is defined by a state
machine (see Figure 4). The current state determines which values are considered
valid and the set of allowed commands.
 Privacy-Friendly AC 9

Table 2. Hardware specification of the MultOS ML-3 cards used

Hardware Specification
Chip SLE78CLXxxxPM
CPU 16 bit
Int./Ext. clock 33 MHz/7.5 MHz
RAM Memory 1088+960 B
ROM/EEPROM 280 kB/60 kB
Modular API Yes

GENERATE
INIT USER KEY
SET P, H1, H2
SET N , G1, G2, G3
SET A SEED

ATTR KEY
PROVE ATT A -E RESET RESET ISSUE ATT 1A-B
STATE STATE
SIGN
GET CI SIGNATURE SET CI
SET WRR ISSUE ATT 2A-C
SIGNATURE

Fig. 4. Smart-Card State Diagram

The INIT, KEY and SIGN states are used during card and attribute issuance
(system parameters are set, user key is generated, the IssueAtt protocol is per-
formed). In the last state, ATTR, the card is able to prove the possession of the
attribute via the ProveAtt protocol.
– INIT: The initial state of the application. The card does not have any valid
values. In this state, the system parameters are set using the Setup pro-
tocol. After generating the user private key using the GENERATE USER KEY
command the card changes its state to KEY.
– KEY: The card contains the system parameters and user private key (w1 , w2 ).
None of these components can be changed. The IssueAtt 1 protocol (between
the card and the issuer) is performed. After obtaining the issuer’s signature
of the commitment SigI (CI ) using the SET CI SIGNATURE command the
card changes its state to SIGN.
– SIGN: The card contains the system parameters, user private key (w1 , w2 )
and commitment signature SigI (CI ). None of these components can be
changed. The IssueAtt 2 protocol (between the card and the revocation ref-
eree) is performed. After obtaining the user attribute private key (wRR )
using the SET WRR command the card changes its state to ATTR.
10 J. Hajny, L. Malina, and O. Tethal

– ATTR: In this state, the card has all the necessary parameters to prove the
possession of the attribute Aseed using the ProveAtt protocol. No value can
be changed.

Protocols
This section describes the cryptographic protocols implemented on the smart
card:
– Setup: performed by the User and the Issuer.
– IssueAtt 1: performed by the User and the Issuer
– IssueAtt 2: performed by the User and the Revocation Referee
– ProveAtt: performed by the User and the Verifier
Setup
This protocol is performed by the issuer for the values of the system parameters
to be written onto the card. At the end of the protocol, the user private key
(w1 , w2 ) is generated.

IssueAtt 1
This protocol is performed by the user and the issuer. During this protocol, the
issuer obtains the user’s commitment CI = hw 1 w2
1 h2 mod p and the user proves
the knowledge of the corresponding values w1 and w2 . The issuer then signs the
commitment and sends the signature SigI (CI ) to the card.
The protocol is executed in the KEY state to ensure that the system parame-
ters (in this case p, h1 and h2 ) have been set and the user key (w1 , w2 ) has been
generated.

IssueAtt 2
This protocol is performed by the user and the revocation referee. During this
protocol, the revocation referee obtains the user’s commitment CI = hw 1 w2
1 h2 mod
 w1 w2
p, Aseed = g1 g2 mod n, and the issuer’s signature of the commitment SigI (CI ).
The user proves the knowledge of the corresponding values w1 and w2 . Af-
ter checking the commitment signature, the revocation referee computes wRR :
Aseed = g1w1 g2w2 g3wRR mod n and sends it to the card.
The protocol is executed in the SIGN state to ensure that the system parame-
ters (in this case p, h1 and h2 ) have been set, the user key (w1 and w2 ) has been
generated and the card has obtained SigI (CI ) from the issuer.

ProveAtt
The ProveAtt protocol is the main feature of the ACard application. In this
protocol, the card (representing the user) proves to the verifier that it owns the
attribute Aseed , i.e. that it knows (w1 , w2 , wRR ) : Aseed = g1w1 g2w2 g3wRR mod n.
The protocol is executed in the ATTR state to ensure that all the necessary
parameters have been set.
The protocols are invoked by sending APDU commands. The list of supported
APDU commands, their name, description and state in which they operate can
be found in Appendix B.
 Privacy-Friendly AC 11

3.4 Android Application

Now only experimentally, we implemented the ProveAtt protocol also on An-

droid devices. Both the User’s and the Verifier’s side of the protocol were imple-
mented. Using these applications, Users can generate their attribute proofs on
their mobile phones using the User app, and Verifiers can use mobile phones or
tablets to check the proofs using the Verifier app.

Fig. 5. Verification with Three Types of Communication Interfaces

The Verifier application supports three types of communication interfaces,

see Figure 5. The first option is to use QR codes to transfer the attribute proof
data. In that case, the QR code containing cryptographic proof data is scanned
by the camera of the Verifier device, e.g. a phone or tablet. This option is ideal
for devices lacking other simple communication interfaces, like iPhone or iPad.
The second option is to use the NFC (Near Field Communication) interface. In
that case, the cryptographic proof is transferred by attaching two NFC-enabled
devices close to each other. The NFC interface is ideal for situations where both
the User and the Verifier applications are running on NFC-enabled devices, like
Android phones or tablets. The third option is to use the standard smart-card
with the application as described in previous section 3.3 and read the attribute
proof by using the RFID (Radio Frequency IDentification, ISO/IEC 14443) tech-
nology. Since NFC and RFID in smart-cards are compatible, the Verifier mobile
application can be also used to read proofs generated by standard smart-cards.
Therefore, our smart-cards can be read either by standard terminals or mobile
devices interchangeably without any modifications.
To take advantage of new interfaces, namely NFC and QR codes, we also
developed User applications which are able to generate attribute proofs according
to the ProveAtt protocol and transfer the cryptographic data via QR or NFC.
With these applications available, Users can choose whether they prefer standard
smart-cards or mobile devices for the verification of their attribute ownership.
The Verifier application with scanned QR code from the User application is
depicted in Figure 6.
12 J. Hajny, L. Malina, and O. Tethal

Fig. 6. Verifier Application during Verification of a QR Code - Two Screen Captures

Fig. 7. Evaluation Results - Weak Aspects Selected by Evaluators in Questionnaire

(at least 1 weakness had to be selected)

4 Pilot Deployment
The attribute-based credential system has been experimentally deployed at the
university during the fall semester of 2013. The goal of the pilot deployment was
to verify, whether the attribute-based credentials can be practically deployed for
privacy-enabled access control. An attribute indicating student group member-
ship has been issued to 30 smart-cards. Then, the students used the smart-cards
to gain access to university laboratories. In this pilot deployment, the students
remained anonymous and untraceable while the university had the ability to
control access to its premises.
The attribute issuance phase is represented by the IssueAtt protocol and is
realized via communication between the student’s smart-card and the issuance
terminal. The attribute issuance took around 4.5 s, including the time neces-
sary for user key generation and data transfer. The operation needs to be done
only once in a lifetime. After attribute issuance, the students were able to use
the smart-card to access laboratories. The access was granted after successful
 Privacy-Friendly AC 13

completion of the ProveAtt protocol. The attribute proof generation and verifi-
cation took around 2.9 s, including the time necessary for session randomization,
revocation check and data transfer. The 1024 b variant was used.
After completion, the attribute-based system was anonymously evaluated by
the students. The general results can be seen in Figure 7, indicating that the
speed of attribute verification is the main aspect to be improved by future
optimization. The speed improvement might be easily achieved by using smart-
phones instead of smart-cards for attribute proof generation. In our pilot de-
ployment, only smart-cards were used as User devices.

5 Conclusion
We presented the first practical implementation of the HM12 scheme for anony-
mous attribute-based credentials (ABCs). We presented the complete imple-
mentation of all protocols, namely the attribute issuance protocol, the attribute
verification protocol and the revocation protocol. In particular, the practical
VLR revocation protocol has been missing in existing ABCs implementations
until now. All protocols were implemented on the MultOS ML3 smart-cards
with only 16 b CPU and 2 kB of RAM available. We showed the results of our
pilot deployment and presented the applications for mobile devices. Our future
plan is to modify the ProveAtt protocol in order to get rid of the need for device
tamper-resistance, which is the known weakness of the HM12 scheme. That will
allow easier deployment on Android and iOS mobile devices.

Acknowledgment. This research work is funded by the Technology Agency

of the Czech Republic project TA02011260 ”Cryptographic system for the pro-
tection of electronic identity”, the project SIX CZ.1.05/2.1.00/03.007 and the
Czech Science Foundation project 14-25298P.

References
1. U-prove sdk overview. White paper. Tech. rep., Credentica Inc. (2007),
http://www.credentica.com/GovOnline.pdf
2. Apache maven project (2014), http://maven.apache.org
3. I reveal my attributes, irma (2014), https://www.irmacard.org
4. Abendroth, J., Liagkou, V., Pyrgelis, A., Raptopoulos, C., et al.: D7. 1 application
description for students. Technical report, ABC4Trust (2012)
5. Bao, F.: An efficient verifiable encryption scheme for encryption of discrete loga-
rithms. In: Quisquater, J.-J., Schneier, B. (eds.) CARDIS 2000. LNCS, vol. 1820,
pp. 213–220. Springer, Heidelberg (2000)
6. Bcheri, S., Goetze, N., Orski, M., Zwingelberg, H.: D6. 1 application description
for the school deployment. Technical report, ABC4Trust (2012)
7. Bichsel, P., Camenisch, J., Gro, T., Shoup, V.: Anonymous credentials on a stan-
dard java card. In: Proceedings of the 16th ACM Conference on Computer and
Communications Security, CCS 2009, pp. 600–610. ACM Press (2009)
8. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.)
CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)
9. Brands, S.A.: Rethinking public key infrastructures and digital certificates. MIT
Press (c2000)
14 J. Hajny, L. Malina, and O. Tethal

10. Camenisch, J., et al.: Specification of the identity mixer cryptographic library,
Tech. rep. (2010)
11. Camenisch, J., Kohlweiss, M., Soriente, C.: Solving revocation with efficient update
of anonymous credentials. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS,
vol. 6280, pp. 454–471. Springer, Heidelberg (2010)
12. Camenisch, J., Stadler, M.: Proof systems for general statements about discrete
logarithms. Tech. rep. (1997)
13. Camenisch, J., Van Herreweghen, E.: Design and implementation of the idemix
anonymous credential system. In: Proceedings of the 9th ACM Conference on Com-
puter and Communications Security, CCS 2002, pp. 21–30. ACM, New York (2002)
14. Cramer, R.: Modular Design of Secure, yet Practical Cryptographic Protocols.
Ph.D. thesis, University of Amsterdam (1996)
15. Cramer, R., Damgård, I., MacKenzie, P.: Efficient zero-knowledge proofs of knowl-
edge without intractability assumptions. In: Imai, H., Zheng, Y. (eds.) PKC 2000.
LNCS, vol. 1751, pp. 354–373. Springer, Heidelberg (2000)
16. Danes, L.: Smart card integration in the pseudonym system idemix. Master’s thesis,
University of Groningen (2007)
17. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification
and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263,
pp. 186–194. Springer, Heidelberg (1987)
18. Gallagher, P., Kerry, C.: Fips pub 186-4: Digital signature standard, dss (2013),
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
19. Gosling, J., et al.: The java language specification, java se 7 edition (2013)
20. Hajny, J., Malina, L.: Unlinkable attribute-based credentials with practical revo-
cation on smart-cards. In: Mangard, S. (ed.) CARDIS 2012. LNCS, vol. 7771,
pp. 62–76. Springer, Heidelberg (2013)
21. Hajny, J., Malina, L., Martinasek, Z., Tethal, O.: Performance evaluation of primi-
tives for privacy-enhancing cryptography on current smart-cards and smart-phones.
In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald,
W.M. (eds.) DPM 2013 and SETOP 2013. LNCS, vol. 8247, pp. 17–33. Springer,
Heidelberg (2014)
22. Johnson, R., et al.: The spring framework - reference documentation, version 2.5.6
(2008)
23. Lapon, J., Kohlweiss, M., De Decker, B., Naessens, V.: Performance analysis of
accumulator-based revocation mechanisms. In: Rannenberg, K., Varadharajan, V.,
Weber, C. (eds.) SEC 2010. IFIP AICT, vol. 330, pp. 289–301. Springer, Heidelberg
(2010)
24. Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anony-
mous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.)
EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)
25. Mostowski, W., Vullers, P.: Efficient U-prove implementation for anonymous cre-
dentials on smart cards. In: Rajarajan, M., Piper, F., Wang, H., Kesidis, G. (eds.)
SecureComm 2011. LNICST, vol. 96, pp. 243–260. Springer, Heidelberg (2012)
26. Okamoto, T., Uchiyama, S.: A new public-key cryptosystem as secure as factoring.
In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer,
Heidelberg (1998)
27. Paquin, C.: U-prove cryptographic specification v1.1, Tech. rep. (2011)
28. Tews, H., Jacobs, B.: Performance issues of selective disclosure and blinded issuing
protocols on java card. In: Markowitch, O., Bilas, A., Hoepman, J.-H., Mitchell,
C.J., Quisquater, J.-J. (eds.) WISTP 2009. LNCS, vol. 5746, pp. 95–111. Springer,
Heidelberg (2009)
 Privacy-Friendly AC 15

Appendix A: Cryptographic Specification of Implemented

Protocols
The IssueAtt protocol for issuing new attributes implemented on the ML3
smart-card is depicted in Figure 8, using the CS notation [12].

RR User Issuer

w1 ∈R {0, 1}2l−1 , w2 ∈R {0, 1}l−1

CI = commit(w1 , w2 ) = hw 1 w2
1 h2 mod p

1 h2 }, SigU (CI )
P K{w1 , w2 : CI = hw1 w2
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
Store (CI , SigU (CI ))
SigI (CI )
←−−−−−−−−−−−−−−−−−−−
Aseed = g1w1 g2w2 mod n

Aseed , CI , SigI (CI ),


P K{(w1 , w2 ) : CI = hw 1 h2 ∧ Aseed = g1 g2 }
1 w2 w1 w2

←−−−−−−−−−−−−−− − −−− −−−−−−−− −−−−−−−−−−−

wRR : Aseed = g1w1 g2w2 g3wRR mod n
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
User master key for Aseed : KU = (w1 , w2 , wRR )

Fig. 8. IssueAtt Protocol in Camenisch-Stadler Notation

The ProveAtt protocol for verifying attributes implemented on the ML3 smart-
card is depicted in Figure 9, using the CS notation [12].

User Verifier

Aseed = g1w1 g2w2 g3wRR mod n

KS ∈R {0, 1}l
A = AK S
seed mod n

C1 = g3KS wRR mod n

C2 = g3KS mod n

P K{(KS , KS w1 , KS w2 , KS wRR ) : A = g1KS w1 g2KS w2 g3KS wRR

∧A = AKseed ∧ C1 = g3
S KS wRR
∧ C2 = g3KS }
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Fig. 9. ProveAtt Protocol in Camenisch-Stadler Notation

16 J. Hajny, L. Malina, and O. Tethal

Appendix B: List of Smart-Card APDU Commands

Table 3. List of APDU commands

INS Name Description State

0Eh RESET STATE Sets state to INIT ANY
10h SET P Sets p INIT
12h SET H1 Sets h1 INIT
14h SET H2 Sets h2 INIT
16h SET N Sets n INIT
18h SET G1 Sets g1 INIT
1Ah SET G2 Sets g2 INIT
1Ch SET G3 Sets g3 INIT
1Eh SET A SEED Sets Aseed INIT
20h GENERATE USER KEY Generates w1 , w2 INIT
22h ISSUE ATT 1A Phase A of IssueAtt 1 KEY
24h ISSUE ATT 1B Phase B of IssueAtt 1 KEY
26h SET CI SIGNATURE Stores SigI (CI ) KEY
28h GET CI SIGNATURE Returns SigI (CI ) SIGN
2Ah ISSUE ATT 2A Phase A of IssueAtt 2 SIGN
2Ch ISSUE ATT 2B Phase B of IssueAtt 2 SIGN
2Eh ISSUE ATT 2C Phase C of IssueAtt 2 SIGN
30h SET WRR Sets wRR SIGN
32h PROVE ATT A Phase A of ProveAtt ATTR
34h PROVE ATT B Phase B of ProveAtt ATTR
36h PROVE ATT C Phase C of ProveAtt ATTR
38h PROVE ATT D Phase D of ProveAtt ATTR
3Ah PROVE ATT E Phase E of ProveAtt ATTR
 Are You Threatening My Hazards?

Marina Krotofil1 and Jason Larsen2

1
Hamburg University of Technology, Hamburg, Germany
2
IOActive, Inc., Seattle, WA 98104, USA

Abstract. This paper presents a framework for discussing security in

cyber-physical systems, built on a simple mental model of the relation-
ship between security and safety that has protection flows at its core. We
explain their separation of concerns and outline security issues which can
yield a violation of the protection flow, supporting the discussion with
real world examples. We conclude the paper with a discussion on matters
which are beyond our control, subjected to contradictory requirements,
or do not have easy solutions. We also identify novel research challenges
in the emerging field of cyber-physical security.

1 Introduction
Advances in computing and networking have rendered possible the addition of
new capabilities to physical systems that could not be feasibly added before.
This led to the emergence of engineering systems called cyber-physical systems
(CPS): collaborative environments consisting of computational and communica-
tion elements controlling physical entities with the help of sensors and actuators.
Aircrafts, robots, utilities, chemical and food plants are examples of such sys-
tems. Some cyber-physical systems are termed critical infrastructures because
their functionality is critical to modern society.
While “cyberfication” contributes to improving the efficiency of physical pro-
cesses, it is also a source of concerns about vulnerabilities to both random cyber
failures and security attacks. On one hand embedded computers have enabled
the governing of physical applications to achieve desired outcomes. On the other
hand physical systems can be instructed in the same way to perform actions that
are not intended. As a result software code which does not inherently possess
tangible force can potentially acquire destructive capacity through the ability
to instruct physical systems to malfunction. Cyber attacks on physical systems
are correspondingly called cyber-physical attacks. The implications of this class
of cyber attacks (the ability to inflict physical damage) is the main difference
between cyber-physical and conventional cyber attacks. What is not always un-
derstood is that breaking into the cyber-physical system and taking over its
component(s) is not enough to carry out an attack. Actually abusing the sys-
tem requires additional knowledge such as a good understanding of mechanics,
physics, signal processing, control principles, etc. Moreover, different types of
CPS are subjected to fundamentally dissimilar failure modes which first need to
be discovered.

M. Yoshida and K. Mouri (Eds.): IWSEC 2014, LNCS 8639, pp. 17–32, 2014.

c Springer International Publishing Switzerland 2014
18 M. Krotofil and J. Larsen

In the context of CPS, safety systems have the critical function of detecting
dangerous or hazardous conditions and taking actions to prevent catastrophic
consequences on the users and the environment. The industrial control commu-
nity has substantial experience in identifying and addressing potential hazards
and operational problems in terms of plant design and human error, used to
minimize the effects of atypical situations and to achieve a safe outcome from a
situation that could have resulted in a major accident. However, the evolution
of safety systems is largely built on the ability to interconnect systems and to
automate notifications and alarms in the event of safety breaches. As a result,
safety systems became vulnerable to cyber attacks. In the past the relationship
between safety and security was studied in the context of dependable comput-
ing (Fig. 1). Compared to previous work on determining common approaches to
safety and security, which had its focus on IT or system-design, see e.g. [24], [18],
we also include the underlying physical processes in our considerations.

Availability
Reliability
Dependability Safety
Security
Confidentiality
Integrity
Maintainability
Fig. 1. Dependability and security attributes, based on [5]

Both cyber security and safety have distinct histories and have developed their
own bodies of work. In both disciplines basic concepts have developed into a lan-
guage that can be used to describe best practices. However, the current efforts to
secure critical infrastructure have used the language of cyber security drawing lit-
tle from the language of safety. Architectures are most often described in terms of
security boundaries and not in terms of hazards. This cyber-oriented view of the
world has been codified into standards and regulations governing process control.
One regulation illustrating this point are the NERC CIP standards [22]. Under
this regulation a control system is broken down into a set of “control centers”.
The communications between control centers and to outside entities defines an
electronic security perimeter (ESP). Not all control centers are required to be
defended. Simple tests are used to determine whether a particular control center
is required to be defended in compliance with the standard. However, most of
the tests are cyber-oriented. The only safety-oriented test is that the control
system should have the ability to shed 300 MW of load. All other hazards such
as bringing a generator out of phase [29] or energizing a line during maintenance
work are ignored by the standard.
The NIST 800-53a standard has a similar flavor [23]. Its general hardening
recommendations such as password lengths are applied broadly to the devices
used in process control. The standard is meant to be applied to all industrial
processes without any modification for the specific product being manufactured.
Another random document with
no related content on Scribd:
pelele, or lip ring, as mentioned by Dr. Weule, who never came
across the Mavia for himself. Of their wearing their hair in pig-tails,
Mr. O’Neill says nothing—in fact, beyond the pelele, there was little
to distinguish them from neighbouring tribes, and he was disposed
to consider them a branch of the Makonde. His description of their
villages hidden away in the thorny jungle and approached by
circuitous paths recalls what Dr. Weule says as to the difficulty of
finding the Makonde settlements without a guide. In the course of
this journey Mr. O’Neill discovered Lake Lidede, and at one point of
his march he looked down on the Rovuma Valley from the edge of
the Mavia Plateau at almost the same point as that where Dr. Weule
saw it from the opposite escarpment, as described on pp. 343–4. It is
interesting to compare the two accounts:—Mr. O’Neill’s is to be
found in the Proceedings of the R.G.S. for 1882, p. 30.
Mr. J. T. Last, starting from Lindi on the 28th of October, 1885,
made his way overland to Blantyre, via Newala, Ngomano and the
Lujende Valley, in eleven weeks. He remarks on the “desolation of
the country which was formerly well populated, as the sites of the old
villages show; but now there is not a house to be seen”—through the
raids of the Magwangara and others. Lions were as numerous as they
appear to have been in 1906, and for a similar reason. One of Mr.
Last’s carriers was dragged out of the grass shelter where the men
were sleeping, thus affording an almost exact parallel to the incident
related by Dr. Weule on pp. 394–8.
At this time the country was under the nominal rule of the Sultan
of Zanzibar, who stationed his officials at some of the places near the
coast and exercised a somewhat intermittent and uncertain authority
over the chiefs in the interior. By the treaty of 1890 the whole of the
mainland as far back as Lakes Victoria and Tanganyika, between the
Rovuma on the south, and the Umba River on the north, was handed
over to Germany, while the protectorate over what remained of the
Sultan’s dominions (viz., the islands of Zanzibar and Pemba) was
taken over by the British Government.
It seems improbable that this immense territory can ever be
colonised by Germans in the same way in which Canada and
Australia have been colonised by ourselves. There are few if any parts
where German peasants and workmen could expect to live, labour,
and bring up families. So far as the country has been settled at all, it
is on the plantation system: European capitalists cultivating large
tracts of land by means of native labour. Some coffee plantations in
Usambara are, we understand, flourishing fairly well, though not
producing wealth beyond the dreams of avarice; but the system, if it
is to be extended to the whole territory, does not augur well for the
future. It is not a healthy one for employer or employed; it always
tends in the direction of forced labour and more or less disguised
slavery; and, in the end, to the creation of a miserable and degraded
proletariat. Much more satisfactory is the method to which Dr.
Weule extends a somewhat qualified approval (though there can be
no doubt that it has his sympathies) of securing to the native his own
small holding and buying his produce from him, as has been done, to
some extent, with the best results, in our own Gold Coast Colony. Dr.
Weule remarks, somewhat naively, that a wholesale immigration
from Germany would be interfered with if the native “claimed the
best parts of his own country for himself.” But surely a ver sacrum of
the kind contemplated is unthinkable in the case of East Africa.
It is possible that the reader may be somewhat perplexed by Dr.
Weule’s estimate—or estimates—of the native character. The
recurring contradictions apparent in various parts of his book arise
from the plan on which it is written. In the original edition, the
traveller’s narrative takes the form of letters addressed to his wife
and friends from the successive stages of his journey. This form has
been dispensed with (beyond the dates at the head of each chapter)
in translation,[1] because the personal allusions, in a foreign dress,
rather detract from than add to the interest of the narrative, and all
the more so, as they are not, in a sense, genuine, but have been
added, après coup, to impart an air of verisimilitude to the letters.
The latter, in fact, were not written from the places at which they are
dated, but were put into shape after the author’s return to Europe,
from notes made on the spot, together with extracts from actual
letters, not printed as a whole. This material, in order not to sacrifice
the freshness of first impressions, has been used very much as it
stood, and it will be noticed that, in many cases, the observations
made at different places correct and qualify one another.
I am glad to find that Dr. Weule stands up for the native in respect
of the old accusation of laziness. He shows that the people of the
Makonde Plateau, at any rate, work pretty hard (in some points, as in
their water-carrying, unnecessarily hard) for a living. He also
defends them against the charge of improvidence, making it quite
plain that they take infinite pains in storing their seed-corn for next
season, and that, if they do not save more of their crops against a
year of famine, instead of making the surplus into beer, it is because
they have, under present circumstances, absolutely no means of
keeping them. It is true that, in one passage, he seems to depreciate
the industry of native women, by comparison with the work done by
German maid-servants and farmers’ wives. But he forgets to make
allowance for the difference of climate—and, perhaps, one may be
permitted to doubt whether any human being really ought to work as
hard as most German women do in town or country.
On the whole, Dr. Weule is kindly disposed towards the native. He
does not seem entirely to have escaped the danger deprecated on p.
41—at least it strikes one that some of the (doubtless not unmerited)
castigations bestowed in the course of his pages might have been
dispensed with by the exercise of a little more patience and tact; but
he remained throughout on the best of terms with his carriers, and
appears to have parted from Moritz, Kibwana and Omari, in spite of
the trials to which they had subjected him in the exercise of their
several functions, with no ill-feeling on either side. More than once
he bears testimony to the uniform good manners of the people whose
villages he visited, and to their homely virtues—their unfailing
cheerfulness, their family affection, and their respect for parents. At
the same time, he relates various incidents calculated to leave a less
pleasant impression, though it must be remembered that the
proportion they bear to the whole of native life is probably less than
that borne by the criminal cases reported in our newspapers to the
daily life and conduct of our population in general. Dr. Weule’s stay
in Africa was surely long enough for him to see that the Bantu native
is not in general bloodthirsty or ferocious; that, on the contrary,
when not maddened by terror or resentment, he is gentle,
reasonable, and even somewhat lacking in vindictiveness compared
with other races. Yet, in the scientific report on the expedition (a
publication several times alluded to in the course of the work before
us) the author is, it seems to me, guilty of a grave injustice.
The reader will note that, on his return to the coast (see pp. 27–9),
he spent some time in studying the records of the Criminal Court at
Lindi, though he does not here tell us anything about the results of
his examination. Now these records certainly afford valuable
material for the study of social conditions; but they should be used
with discrimination. Dr. Weule does not give what is of the very first
importance, the number of criminal cases and their proportion to the
population, especially as the serious cases, which are brought for
trial to Lindi, represent the whole of an extensive province. But he
mentions two atrocities as a proof of the ignorance shown by certain
German newspapers, which “during the last two years have thought
it necessary to insist, over and over again, on the noble traits in the
negro character,” and of the “predominance of low instincts in those
sons of untamed nature” who have “an innate disposition to
violence.” One of the cases in question was that of a woman who
killed her own mother by a blow with the pestle used for pounding
corn. But it is hardly fair to place this murder on the same footing as
a crime committed out of mere brutal passion: the woman’s children
had died, and she believed her mother to have caused their death by
witchcraft. We know what horrible cruelties this belief has induced
people not otherwise depraved to commit: an instance occurred only
twelve or thirteen years ago, no further off than Clonmel. The other
case, which is certainly revolting enough, was the revenge of a
husband on a guilty wife. But both of them together prove absolutely
nothing without information which would enable us to see whether
they are to be regarded as exceptional, or as in any sense typical. The
other incident given by way of proving that violence and brutality are
“in the blood” of the native, is that of an unfortunate woman who,
unsuspiciously passing through the bush, fell in with a band of
unyago boys, and was by them seized and put into a slave-stick “out
of mere mischief and enjoyment of violence.” The comment on this is
that, unless the woman had been a stranger from a distance (who,
under ordinary circumstances would not be very likely to travel
alone), she must have known that there was an unyago in the
neighbourhood, that if she traversed the bush in that direction she
would do so at her peril, and that her trespassing on the forbidden
ground was an act of the grossest impropriety combined with
sacrilege. As for “delight in violence”—surely that, in one form or
another, is an inherent attribute of the “human boy” in every part of
the world, above all when he conceives himself to have a legitimate
excuse?
 The mention of the unyago mysteries suggests a subject on which
Dr. Weule has obtained fuller information than any previous writer—
at any rate on this part of Africa. It is surprising that he should have
been able to secure so many photographs of the dances—especially
those of the women—but these only constitute the more public part
of the ceremonial. As to the instruction given to the younger
generation, he does not seem to have got beyond generalities except
in the case of the two old men who, when very drunk, began to
dictate the actual formula in use, though they did not get to the end
of it. Whether any tribal traditions, any myths, embodying the
religious ideas of a far distant past, are handed down along with such
practical teaching about life as the elders are able to give, does not
appear—but from what we know about other tribes it seems highly
probable. Among the Anyanja (Wanyasa) of Lake Nyasa, e.g., a story
accounting for the origin of that lake is told. But perhaps many of the
Makonde and Makua traditions have by this time been forgotten. It
is evident that they have led a very unsettled life for the past forty or
fifty years, besides being decimated by the slave-trade. (This
circumstance, by the by, should always be remembered in connection
with Dr. Weule’s pictures of native life, which leave a painfully
squalid impression. I am far from wishing to idealize the “state of
nature”; but neither the Zulus, nor the Anyanja, nor the Yaos of the
Shire Highlands are so ignorant and careless of hygiene or so
neglectful of their babies as the poor women of Chingulungulu and
Masasi are represented by him to be.)
These “mysteries” are universal—or practically so—among the
Bantu tribes of Africa, and no doubt most others as well. Usually they
are spoken of as an unmixed evil, which Christian missionaries do all
in their power to combat, and some are not backward in calling out
for the civil power (in countries under British administration) to put
them down. The subject is a difficult and far-reaching one, and
cannot adequately be discussed here. My own conviction, which I
only give for what it is worth, is that it is a great mistake to interfere
with an institution of this sort, unless, perhaps, when the people
themselves are ceasing to believe in it, in which case there is danger
of its becoming a mere excuse for immorality. Otherwise, even the
features which to our feelings seem most revolting are entwined with
beliefs rooted in a conception of nature, which only the gradual
advance of knowledge can modify or overthrow. And we must
remember that the problem which these poor people have tried to
solve in their own way is one which presses hardly on civilized
nations as well. Parents and teachers have discovered the evil of
keeping the young in ignorance, or leaving them to discover for
themselves the realities of life; but many of them appear helplessly
perplexed as to the best way of imparting that instruction.
As regards missions, Dr. Weule has not very much to say, but I am
sorry to find that he cannot refrain from the cheap sneer about
“Christianity not suiting the native,” which seems to be fashionable
in some quarters. It seems to be a mere obiter dictum on his part—
perhaps unthinkingly adopted from others—for he brings no
arguments in support of his view, beyond remarking that Islam suits
the African much better, as it does not interfere with his freedom.
But some excuse may be found for those who hold that view in the
erroneous conceptions of Christianity which have prompted various
mistakes on the part of missionaries. It is quite true that such or such
a system of complicated doctrinal belief, the product of long ages and
a special environment, may not suit the African. It is also true that, if
Christianity means Europeanisation—if it means that the African is
to be made over into a bad imitation of an Englishman or German—it
is impossible that it should gain any real hold on him. But it is no
exaggeration to say that no people on earth are more capable—many
are not so capable—of appreciating and acting on the spirit of the
Gospel, of simple love and trust in the Eternal Goodness and
goodwill towards their fellow-men.
The question is a wide one, which cannot be fully discussed within
these limits. Missionaries have often made mistakes and acted
injudiciously; they have in some cases done serious harm, not from
failure to act up to their principles, but from error in those very
principles and a fatal fidelity to them. They may have interfered
between chiefs and people, and broken down customs better left
alone, or may unwittingly have encouraged the wrong sort of
converts by welcoming all and sundry, including fugitives from
justice or people discontented with their home surroundings for
reasons quite unconnected with high spiritual aspirations. Or again,
they may incur blame for the deficiencies of alleged converts who,
after honouring the mission with their presence for a time, depart
(usually under a cloud) and victimise the first European who can be
induced to employ them.
But there is another side to the matter. A man—whether
consciously a follower of the Nietzschean doctrine or not—who
thinks that “the lower races” exist to supply him with labour on his
own terms, is naturally impatient of a religion which upholds the
claims of the weak, and recognizes the status of man as man. Hinc
illæ lacrymæ, in a good many cases. Honestly, I do not think this is
Dr. Weule’s view. But I cannot quite get rid of the suspicion that he
was repeating what he had heard from a planter, and that it was, in
strict accuracy, the planter’s convenience, and not the native, that
Christianity failed to “suit.” Anyone who has read a certain pamphlet
by Dr. Oetker, or Herr von St. Paul Illaire’s Caveant Consules, or
Herr Woldemar Schütze’s Schwarz gegen Weiss will not think this
remark too strong.
It would be deplorable, indeed, if those writers had to be taken as
typifying the spirit of German colonial administration in Africa, or
indeed anywhere else. But I do not think we have any right to
suppose that this is so. There has been, I think, too much militarism
—and very brutal militarism, in some cases—in that administration;
but this is an evil which appears to be diminishing. There is a
tendency, perhaps, to worry the native with over-minute government
regulations, which, no doubt, will as time goes on be corrected by
experience. And there is no lack of humane and able rulers who bring
to their task the same conscientious, patient labour which their
countrymen have bestowed on scientific research; who are trained
for their posts with admirable care and thoroughness, and grudge no
amount of trouble to understand and do justice to the people under
their care. They shall in no wise lose their reward.

A. WERNER.
CAPE GUARDAFUI
Native Life in East Africa
 CHAPTER I
OUTWARD BOUND

Dar es Salam, Whit-Sunday, 1906.

Six months ago it would not have entered my head in my wildest

dreams that I should spend my favourite festival, Whitsuntide, under
the shade of African palms. But it is the fact, nevertheless. I have now
been two days in the capital of German East Africa, a spot which may
well fascinate even older travellers than myself. Not that the scenery
is strikingly grand or majestic—on the contrary, lofty mountain-
masses and mighty rivers are conspicuous by their absence, and the
wide expanse of the open ocean contributes nothing directly to the
picture, for Dar es Salam lies inland and has no seaview worth
mentioning. The charm of the landscape lies rather in one of the
happiest combinations of flashing waters, bright foliage, and radiant
sunshine that can be imagined.
The entrance to the harbour gives to the uninitiated no hint of the
beauty to come. A narrow channel, choked with coral reefs, and, by
its abrupt turns, making severe demands on the skill of the pilot,
leads to the central point of a shallow bay which seems to have no
outlet. Suddenly, however, the vessel glides past this central point
into an extraordinarily narrow channel, with steep green banks on
either side, which opens out, before the traveller has had time to
recover from his astonishment, into a wide, glittering expanse,
covered with ships. That is the famous bay of Dar es Salam. In
presence of the obvious advantages of this locality, one need not have
lived for years in the country to understand why the Germans should
have been willing to give up the old caravan emporium of Bagamoyo
with its open roadstead for this splendid harbour, and thus make the
almost unknown native village of Dar es Salam the principal place in
the colony.[2]
 DAR ES SALAM HARBOUR

On the voyage out, I visited with much enjoyment both Mombasa

and Zanzibar, though unfortunately prevented by an accident (an
injury to my foot) from going ashore at the German port of Tanga. Of
these two English centres, Zanzibar represents the past, Mombasa
the present, and still more the future. It is true that Zanzibar has the
advantage in its situation on an island at a considerable distance
from the mainland, an advantage of which the mainland towns,
however splendid their future development, will never be able to
deprive it, since their lines of communication, both economic and
intellectual, will always converge on Zanzibar. But since the
completion of the Uganda Railway, Mombasa forms the real gateway
to the interior, and will do so in an increasing degree, as the
economic development of Central Africa—now only in its infancy—
goes on. Whether our two great German railways—as yet only
projected—can ever recover the immense advantage gained by
Mombasa, the future will show. We must hope for the best.
 NATIVE DANCE AT DAR ES SALAM

Mombasa and Zanzibar interested me more from a historical than

from a political point of view. How little do our educated and even
learned circles know of the exploration and development, the varied
political fortunes of this corner of the earth on the western shore of
the Indian Ocean! Only specialists, indeed, can be expected to know
that this year is the jubilee of the French Admiral Guillain’s epoch-
making work, Documents sur l’Histoire, la Géographie, et le
Commerce de l’Afrique Orientale, but it is extremely distressing to
find that our countryman, Justus Strandes’ Die Portugiesenzeit in
Deutsch- und Englisch-Ostafrika (1899) is not better known. Most of
us think that Eastern Equatorial Africa, considered as a field for
colonization, is as much virgin soil as Togo, Kamerun and German
South-West Africa, or the greater part of our possessions in the
South Seas. How few of us realise that, before us and before the
English, the Arabs had, a thousand years ago, shown the most
brilliant capacity for gaining and keeping colonies, and that after
them the Portuguese, in connection with and as a consequence of
Vasco da Gama’s voyage to India round the Cape of Good Hope in
1498, occupied an extensive strip of the long coast, and maintained
their hold on it for centuries? And yet these events—these struggles
for East Africa form one of the most interesting chapters in the
history of modern colonization. Here for the first time the young
European culture-element meets with an Eastern opponent worthy
of its steel. In fact that struggle for the north-western shores of the
Indian Ocean stands for nothing less than the beginning of that far
more serious struggle which the white race has waged for the
supremacy over the earth in general, and in which they already
seemed to be victorious, when, a few years ago, the unexpected rise
of Japan showed the fallacious nature of the belief so long
entertained, and perhaps also the opening of a new era.
Anyone who does not travel
merely for the sake of present
impressions, but is accustomed
to see the past behind the
phenomena of the moment, and,
like myself, leaves the area of
European culture with the
express object of using his
STREET IN THE NATIVE QUARTER, results to help in solving the
DAR ES SALAM great problem of man’s
intellectual evolution in all its
details, will find in the voyage to
German East Africa a better opportunity for survey and retrospect
than in many other great routes of modern travel.
This is the case as soon as one has crossed the Alps. It is true that
even the very moderate speed of the Italian express gives one no
chance for anthropological studies. In order to observe the
unmistakable Teutonic strain in the population of Northern Italy, it
would be necessary to traverse the plain of Lombardy at one’s
leisure. But already in the Adige Valley, and still more as one
advances through Northern and Central Italy, the stratification of
successive races seems to me to be symbolized by the three strata of
culture visible in the fields: corn below, fruit-trees planted between
it, and vines covering them above. Just so the Lombards, Goths and
other nations, superimposed themselves on the ancient Italian and
Etruscan stocks. On the long journey from Modena to Naples, it is
borne in upon one that the Apennines are really the determining
feature of the whole Italian peninsula, and that the Romans were
originally started on their career of conquest by want of space in
their own country. The only place which, in May, 1906, produced an
impression of spaciousness was the Bay of Naples, of which we never
had a clear view during our four or five days’ stay. A faint haze,
caused by the volcanic dust remaining in the air from the eruption of
the previous month, veiled all the distances, while the streets and
houses, covered with a layer of ashes, appeared grey on a grey
background—a depressing and incongruous spectacle. The careless
indolence of the Neapolitans, which as a rule strikes the industrious
denizens of Central Europe as rather comical than offensive, requires
the clear sky and bright sunshine, celebrated by all travellers (but of
which we could see little or nothing), to set it off.
From our school-days we have been familiar with the fact that the
countries bordering the Mediterranean—the seats of ancient
civilisation—are now practically denuded of forests. Yet the
landscape of Southern Italy and Sicily seems to the traveller still
more unfamiliar than that of the northern and central districts; it is
even more treeless, and therefore sharper in contour than the
Etruscan and Roman Apennines and the Abruzzi. But the most
striking feature to us inhabitants of the North-German plain are the
river-valleys opening into the Strait of Messina, leading up by steep
gradients into the interior of the country. At this season they seem
either to be quite dry or to contain very little water, so that they are
calculated to produce the impression of broad highways. But how
terrible must be the force with which the mass of water collecting in
the torrent-bed after heavy rains, with no forest-soil to keep it back,
rushes down these channels to the sea! To the right and left of
Reggio, opposite Messina, numbers of sinuous ravines slope down to
the coast, all piled high with débris and crossed by bridges whose
arches have the height and span of the loftiest railway viaducts.
It is scarcely necessary to say anything about Port Said and the
Suez Canal. Entering the Red Sea, I entered at the same time a
familiar region—I might almost say, one which I have made
peculiarly my own—it having fallen to my share to write the
monographs on the three oceans included in Helmolt’s
Weltgeschichte.[3] Of these monographs, that dealing with the
Atlantic seems, in the opinion of the general reader, to be the most
successful; but that on the Indian Ocean is undoubtedly more
interesting from the point of view of human history. In the first
place, this sea has this advantage over its eastern and western
neighbours, that its action on the races and peoples adjacent to it was
continued through a long period. The Pacific has historic peoples
(historic, that is to say, in the somewhat restricted and one-sided
sense in which we have hitherto used that term) on its north-western
margin, in eastern Asia; but the rest of its huge circumference has
remained dead and empty, historically speaking, almost up to the
present day. The Atlantic exactly reverses these conditions: its
historical density is limited to the north-eastern region, the west
coast of Africa, and the east coast of the Americas being (with the
exception of the United States) of the utmost insignificance from a
historical point of view.
Now the Indian Ocean formed the connecting link between these
two centres—the Mediterranean culture-circle in the west, and that
of India and Eastern Asia in the east,—at a time when both Atlantic
and Pacific were still empty and untraversed wastes of water. This,
however, is true, not of the whole Indian Ocean, but only as regards
its northern part, and in particular the two indentations running far
inland in a north-westerly direction, which we call the Red Sea and
the Persian Gulf. To-day, when we carry our railways across whole
continents, and even mountain ranges present no insuperable
obstacles to our canals, we imagine that masses of land as wide as the
Isthmus of Suez or the much greater extent of the “Syrian Porte”—
the route between the Persian Gulf and the Eastern Mediterranean—
must have been absolute deterrents to the sea-traffic of the ancients.
In a sense, indeed, this was the case; otherwise so many ancient
rulers would not have attempted to anticipate us in the construction
of the Suez Canal. But where technical skill is insufficient to
overcome such impediments, and where at the same time the
demand for the treasures of the East is so enormous as it was in
classical and mediæval times, people adapt themselves to existing
conditions and make use of navigable water wherever it is to be
found. Only thus can be explained the uninterrupted navigation of
the Red Sea during a period of several thousand years, in spite of its
dangerous reefs and the prevailing winds, which are anything but
favourable to sailing vessels.
 Only one period of repose—one might almost say, of enchanted
sleep—has fallen to the lot of the Red Sea. This was the time when
Islam, just awakened to the consciousness of its power, succeeded in
laying its heavy hand on the transition zone between West and East.
With the cutting of the Suez Canal, the last shadow of this ancient
barrier has disappeared, and the Red Sea and North Indian Ocean
have regained at a stroke, in fullest measure, their old place in the
common life of mankind.
The passengers on board our steamer, the Prinzregent, were
chiefly German and English; and at first a certain constraint was
perceptible between the members of the two nationalities, the latter
of whom seemed to be influenced by the dread and distrust
expressed in numerous publications of the last few years. Mr.
William Le Queux’s Invasion of 1910 was the book most in demand
in the ship’s library.
A more sociable state of things gradually came about during the
latter part of the voyage; and this largely through the agency of an
unpretending instrument forming part of my anthropological
equipment. One day, when we were nearing the Straits of Bab el
Mandeb, partly in order to relieve the tedium of the voyage, and
partly in order to obtain statistics of comparative strength, I
produced my Collin’s dynamometer. This is an oval piece of polished
steel, small enough to be held flat in the hand and compressed in a
greater or less degree, according to the amount of force expended,
the pressure being registered by means of cogged wheels acting on an
index which in its turn moves a second index on a dial-plate. On
relaxing the pressure, the first index springs back to its original
position, while the second remains in the position it has taken up
and shows the weight in kilogrammes equivalent to the pressure. The
apparatus, really a medical one, is well adapted for ascertaining the
comparative strength of different races; but its more immediate
usefulness appears to lie in establishing cordial relations between
total strangers in the shortest possible time. On that particular hot
morning, I had scarcely begun testing my own strength, when all the
English male passengers gathered round me, scenting some form of
sport, which never fails to attract them, young or old. In the
subsequent peaceful rivalry between the two nations, I may remark
that our compatriots by no means came off worst; which may serve
to show that our German system of physical training is not so much
to be despised as has been recently suggested by many competent to
judge, and by still more who are not so competent.
In his general attitude on board ship, the present-day German
does not, so far as my observations go, contrast in the least
unfavourably with the more experienced voyagers of other
nationalities. It is true that almost every Englishman shows in his
behaviour some trace of the national assumption that the supremacy
of the seas belongs to him by right of birth. Our existence, however,
is beginning to be recognized—not out of any strong affection for
“our German cousins,” but as a simple matter of necessity. If, for
comfort in travel, one must have recourse to German ships; and
when, at home and abroad, there is a German merchant-fleet and a
German navy to be reckoned with, the first of which keeps up an
assiduous competition, while the second is slowly but steadily
increasing, these things cannot fail to impress even the less cultured
members of the British nation. Only one thing is, and will be for
many years to come, calculated to make us ridiculous in the eyes of
Old England—and that is the Zanzibar Treaty. Never shall I forget
the looks of malicious triumph and the sarcastic condolences which
greeted us—the unfortunate contemporaries of the late Caprivi—
when we came in sight of Zanzibar. My friend Hiram Rhodes, of
Liverpool, the ever-smiling and universally popular, usually known
as “the laughing philosopher,” from his cheerful view of life, was not
as a rule given to sharp sayings, but with regard to the famous
political transaction, I distinctly remember to have heard him use the
expression, “Children in politics.” Caustic, but not undeserved!
Another remark of his, after viewing Dar es Salam: “That is the finest
colony I have ever seen!” served, it is true, as a touch of healing balm
—but no amount of conciliatory speeches will give us back Zanzibar!
 MAP OF THE MAIN CARAVAN ROAD, WITH ITS PRINCIPAL
BRANCHES. DRAWN BY SABATELE, A MMAMBWE

The object of the journey on which I have embarked may now be

briefly stated. Several decades since, and therefore before the
beginning of our colonial era, the Reichstag voted an annual grant of
some 200,000 marks for purposes of scientific research in Africa—
purely in the interests of knowledge and without any ulterior
intentions from a narrowly nationalist point of view. One might have
expected that, after the establishment of our settlements in Africa
and the Pacific, this fund would unhesitatingly have been devoted,
wholly or in part, to the systematic exploration and study of these
colonies of ours. But this has not been done, or only in a very
uncertain and desultory manner—to the great grief of German
scientific circles, who, under these circumstances, were forced to
content themselves with the occasional reports of civil and military
officials supplemented by sporadic research expeditions, official or
private.
It was not till the first Colonial Congress in 1902 that a more
vigorous agitation took place for the application of the African Fund
on a large scale to the systematic investigation of our dependencies.
From specialists in all branches of knowledge—geography and
geology, anthropology and ethnography, zoology and botany,
linguistics, comparative law, and the new science of comparative
music—arose the same cry, with the result that, three years later, at
the second Colonial Congress (October, 1905), we were in a position
to state clearly the most pressing problems and mark out the
 principal fields of research in
each subject. It might, however,
have taken years to put the work
in hand, but for the “Committee
for the Geographical
Exploration of the German
Colonies,” and its energetic
president, Dr. Hans Meyer, who
rescued the proceedings from
their normal condition of
endless discussions, and
translated them at one stroke
into action. Dr. Jäger, Herr
Eduard Oehler, and myself are
the living proofs of this (in our
COURTYARD AT DAR ES SALAM—Dolce far country) unwonted rapidity of
niente decision, being selected to carry
out the instructions of the
Committee (which is affiliated to the Colonial Office) and help to
realise the long-cherished dream of German science.
The task of the two gentlemen I have mentioned is purely
geographical, consisting in the examination of the interesting
volcanic area situated between Kilimanjaro and the Victoria Nyanza,
while I am commissioned to bring some order into the chaos of our
knowledge concerning the tribes who occupy approximately the
same region. It must be remembered that the country surrounding
Lakes Manyara and Eyasi, and extending to a considerable distance
south of them, swarms with tribes and peoples who, in spite of the
fact that our acquaintance with them dates more than twenty years
back, still present a variety of ethnological problems. Among these
tribes are the Wasandawi, whose language is known to contain clicks
like those of the Hottentots and Bushmen, and who are conjectured
to be the forgotten remnant of a primæval race going back to
prehistoric ages. The Wanege and Wakindiga, nomadic tribes in the
vicinity of Lake Eyasi, are said to be akin to them. In the whole mass
of African literature, a considerable part of which I have examined
during my twenty years’ study of this continent, the most amusing
thing I ever came across is the fact that our whole knowledge up to
date of these Wakindiga actually results from the accident that
Captain Werther had a field-glass in his hand at a given moment.
This brilliant traveller, who traversed the district in question twice
(in 1893 and 1896), heard of the existence of these people, but all
that he saw of them was a distant telescopic view of a few huts. As yet
we know no more of them than their bare name, conscientiously
entered in every colonial or ethnological publication that makes its
appearance.
Another group of as yet insufficiently-defined tribes is represented
by the Wafiomi, Wairaku, Wawasi, Wamburu and Waburunge. All
these are suspected of being Hamites, and some of them have
evolved remarkable culture-conditions of their own. But, under the
onrush of new developments, they are in danger of losing their
distinctive character still more rapidly than other African peoples,
and, if only for this reason, systematic observations are needed
before it is too late. The same may be said of the Wataturu or Tatoga,
who are undoubtedly to be looked on as the remnant of a formerly
numerous population. They are said to speak a language related to
Somali, but now live scattered over so wide a territory that the
danger of their being effaced by absorption in other races is, if
possible, still greater than in the case of the others. The last of the
tribes which specially concern me are the Wanyaturu, Wairangi and
Wambugwe. All of these belong to the great Bantu group, but have,
in consequence of their isolation, preserved certain peculiarities of
culture so faithfully that they too will be well worth a visit.

IN THE EUROPEAN QUARTER, DAR ES SALAM