dbosk
commented
6 years ago We can take a photo of the person who uses $pid$, then later map $pid$ to $cid$ (if we can't already) and then arrest government critics.
We can hide $cid$ by changing the proof of knowledge to also prove knowledge of $cid$ and not reveal it.
We can blind $pid$ to prevent this. Say $pid = g_T^{1/(k + cid)}$. Then we let $blind_r(pid) = pid^{1/r} = g_T^{1/r(k + cid)} = g_T^{1/(r k + r cid)}$. Then we must be able to unblind $wid = g_T^{1/(k_W + pid)}$ and still verify the proofs.
The $cid$ is static for a protest and represents a cause, \ie opinion, maybe government critical.
[ ] Hide $cid$. If the $cid$ is not hidden, the government can attend the protest and arrest everyone supporting $cid$. Also, witnesses might discriminate against participants with $cid$s they disapprove of. E.g. a small minority can never reach the threshold in the trustless scenario. So we should hide $cid$.
[ ] Blind $pid$. Since the pseudonym $pid$ is static for a participant during a protest and after. Each witness can map a person (e.g. take a photo) to the $pid$. When the associated $cid$ is revealed in the submission step, the government can again find the $pid--cid$ relation, and thus map persons (phots) to $cid$s. Thus we must blind $pid$ for the witnesses and then unblind $pid$, $wid$, $wsig$ in the verification phase, then we achieve unlinkability.
Since the witnesses computes $wid = PRF_k(pid)$ they should not be trackable across different proofs, only "within" proofs. We need an adversarial game which formally defined how hard this is. Probably the security analysis will be similar as for #29 .