Quantify what it means for the adversary to link in adversary model

[dbosk]

What do we mean by the adversary linking cid and P? Are we fine if we have 2-anonymity? If it's a 50% chance that the adversary is correct?

[dbosk]

I suppose that this might become clear with the proofs. See what we can say in the proofs and use those limits.

[dbosk]

Privacy properties, P1 and P2: how hard is unlinkability? What do we mean by unlinkability? How difficult should it be to link to call it unlinkability?

[dbosk]

We want pseudonyms to be indistinguishable (P1):

• Adversary chooses \cid, gives to challenger. Challenger flips b \in \bin (0 for Alice, 1 for Bob) and returns \pid_b(\cid) to the adversary. The adversary outputs b' and wins if b = b'.

\Ie the adversary has negligible advantage over guessing if it was created by Alice or Bob.

We want pseudonyms between protests/protesters to be indistinguishable (P2, P3):

• Adversary chooses \cid_0 and \cid_1, gives to challenger. Challenger flips b \in \bin. If b = 0, the challenger returns \pid_A(\cid_0) and \pid_A(\cid_1). If b = 1, the challenger returns \pid_A(\cid_0), \pid_B(\cid_1). The adversary outputs b' and wins if b = b'.

P1 \equiv P2,P3

[dbosk]

P2, P3: Given \cid, \cid', the probability of \pid(\cid) = \pid(\cid') must be \approx 2^{-2|\pid|}.

[dbosk]

Pfitzman-Hansen has sets for unlinkability, look this up and add ref.

[sbuc]

Pfitzmann/Hansen: Unlinkability of two or more items of interest (IOIs, e.g., subjects, messages, actions, ...) from an attacker’s perspective means that within the system (comprising these and possibly other items), the attacker cannot sufficiently distinguish whether these IOIs are related or not.3

[sbuc]

11.2 Linkability due to the use of a pseudonym across different contexts With respect to the degree of linkability, various kinds of pseudonyms may be distinguished according to the kind of context for their usage: a) person pseudonym: A person pseudonym is a substitute for the holder’s name which is regarded as representation for the holder’s civil identity. It may be used in many different contexts, e.g., a number of an identity card, the social security number, DNA, a nickname, the pseudonym of an actor, or a mobile phone number. b) role pseudonym: The use of role pseudonyms is limited to specific roles74, e.g., a customer pseudonym or an Internet account used for many instantiations of the same role “Internet user”. The same role pseudonym may be used with different communication partners. Roles might be assigned by other parties, e.g., a company, but they might be chosen by the subject himself/herself as well. c) relationship pseudonym: For each communication partner, a different relationship pseudonym is used. The same relationship pseudonym may be used in different roles for communicating with the same partner. Examples are distinct nicknames for each communication partner.75 d) role-relationship pseudonym: For each role and for each communication partner, a different role-relationship pseudonym is used. This means that the communication partner does not necessarily know, whether two pseudonyms used in different roles belong to the same holder. On the other hand, two different communication partners who interact with a user in the same role, do not know from the pseudonym alone whether it is the same user.76 e) transaction pseudonym77: For each transaction, a transaction pseudonym unlinkable to any other transaction pseudonyms and at least initially unlinkable to any other IOI is used, e.g., randomly generated transaction numbers for online-banking. Therefore, transaction pseudonyms can be used to realize as strong anonymity as possible.78

[dbosk]

Not straightforward to place our pseudonym there. Maybe we need to introduce another: context pseudonym?

It's a person pseudonym. Yet it's not constant, so it's not.

It's also a role pseudonym. It's different for whether the person is a protester (role) or witness (role). But it's also different for another protest, so it's not.

The witness pseudonym is a relationship pseudonym. It's different for each partner (protester). But not the same for the same partner but another protest. So it's not.

It's not a transaction pseudonym since the pseudonym remains the same with several witnesses.

[dbosk]

Maybe we're fine with respect to the original question. We say that the adversary cannot distinguish, i.e. it's equal probability given a set of users. Some of the discussion is more related to the formalization. Move it to that milestone?

[sbuc]

added a pointer to role-relationship and that it gets narrower (something which is actually left out in PH, it matters how wide a role or relationship is)

[dbosk]

Maybe we should add that to Pfitzmann-Hansen. Last edits were by Claudia Diaz in 2010.

On Fri 01 Mar 2019 00:49:20 GMT, sbuc wrote:

added a pointer to role-relationship and that it gets narrower (something which is actually left out in PH, it matters how wide a role or relationship is)

-- You are receiving this because you were assigned. Reply to this email directly or view it on GitHub: https://github.com/dbosk/crocus/issues/127#issuecomment-468590466