dbosk / crocus

Securely and privately verifiable protests
Other
0 stars 0 forks source link

Receipt freeness/Unlinkability vs Sybil #23

Closed dbosk closed 6 years ago

dbosk commented 7 years ago

Can we have unlinkability between Alice and her proof and still achieve Sybil resistance? With unlinkability, what prevents Alice from obtaining a second valid proof? If Alice can be prevented from obtaining a second proof, cannot that be used to verify Alice's participation?

dbosk commented 7 years ago

Alice can remove her keys, then no computations can be reproduced. But then she can never participate again.

A validity period of the keys would ensure that she can eventually renew though, so she can participate once every $n$ time-units.

dbosk commented 7 years ago

If there is a way to update the key $k$, as in forward secrecy, then that must lead to Sybil attacks. Right?

dbosk commented 7 years ago

There is an option to have the keys in secure hardware. Then the chip will refuse to compute on the same value twice, but this can probably be used by Eve as proof that Alice has participated.

Can we include a timestamp? This will yield an output, but a different one. This should lead to Sybil attacks: Alice computes values at different points in time.

Smartcards that depend on biometry can be used if Eve is a clandestine attacker. However, the setting of Eve as an autocrat rules out this option, she will force Alice's hand.

dbosk commented 7 years ago

Since pid is PRFkp(cid), if an attacker gets a hold of P's kp, they can check whether they have been to other protests or the very pid
that P has gotten rid of.

Exactly, I have a discussion about that in #23. I don't think that we can achieve any form of deniability as long as we have protection from Sybil.

E.g. forward secrecy would allow Alice to participate twice (new pid with the updated key). She could delete the key, but then she can never participate in any protest again. Which makes us think of renewing it, and that leads back to FS.

dbosk commented 7 years ago

Alice keeps the hash from the blockchain and throws away pid, that means she first needs to get that value from the blockchain. What if she is arrested earlier?

If she's arrested after committing her proof but before receiving the hash, that's a problem.

Actually, it's a problem if she's arrested before submitting the NIZK proofs. Because none of her proof shares are valid without the NIZK proofs, which she can submit at a later time. (Those need not be committed to the blockchain.)

What if she is captured at the protest?

We cannot help her then. I think we said in the introduction that we cannot add privacy, we just ensure that this system doesn't add any risk to her after the protest. (Well, at the moment her key adds a way to link her to a proof, but we'd like to solve that problem too.)

dbosk commented 7 years ago

We can quantify a trade-off using rate limiting. Alice's ability to perform a Sybil attack is directly proportional to her ability to renew her keys, i.e. how often she can get a new passport/ID-card etc.

dbosk commented 6 years ago

I've added some of this discussion in the conclusions.

dbosk commented 6 years ago

Ensure that we point out the relation between eligibility and receipt freeness.