From 72b0d977590e4cdc81608443b548e5a5276ad137 Mon Sep 17 00:00:00 2001
From: Christopher Wood <caw@heapingbits.net>
Date: Fri, 16 Sep 2022 08:37:20 -0400
Subject: [PATCH] Add section on timing attacks

Closes #191.

cc @tfpauly, @nikitaborisov
---
 draft-ietf-privacypass-architecture.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/draft-ietf-privacypass-architecture.md b/draft-ietf-privacypass-architecture.md
index a2082cb6..3c75c26a 100755
--- a/draft-ietf-privacypass-architecture.md
+++ b/draft-ietf-privacypass-architecture.md
@@ -728,7 +728,20 @@ hit:
   Output resp
 ~~~
 
-## Centralization
+## Side-Channel Attacks
+
+Side-channel attacks, such as those based on timing correlation, could be
+used to link attestation and redemption contexts together. In particular,
+for interactive tokens that are bound to a Client-specific redemption
+context, the anonymity set of Clients during the issuance protocol consists
+of those Clients that started issuance between the time of the Origin's
+challenge and the corresponding token redemption. Depending on the number
+of Clients using a particular Issuer during that time window, the set can
+be small. Appliations should take such side channels into consideration before
+choosing a particular deployment model and type of token challenge and redemption
+context.
+
+# Centralization
 
 A consequence of limiting the number of participants (Attesters or Issuers) in
 Privacy Pass deployments for meaningful privacy is that it forces concentrated