Closed dbosk closed 5 years ago
Basically we want unlinkability between \cid and Alice's real identity.
Sonja B [12:37] I still don’t see how hiding/blinding helps against A2. If they have side information about your identity and you upload something to the blockchain, then they get you because you can’t hide the cid on upload if you want to count
dbosk [12:38] They cannot have side-info on both sides. If they have side-info on both sides we're screwed. But we can do with one of them if we hide/blind, because then they cannot correlate. Well, the storage must not know the identity. Ah, yes, we probably cannot do A2.
Sonja B [12:40] if they only have the side info on the network, then they don’t know whether you’re a participant or a witness, but that you were there because otherwise you would not upload anything containing cid
dbosk [12:40] As it's phrased. Correct. We should rename it to global passive adversary And then point out in the discussion that a nation state is equivalent to a global passive adv in this situation.
Sonja B [13:18] So would it make sense to say that a2 is essentially a global passive adv and it’s too strong a requirement to resist that before the paper can be published? This is what I was getting at with my mail yesterday.
dbosk [13:18] Yes, I think so.
Sonja B [13:19] And, are we now on the same page that hiding/blinding doesn’t really help other than in the narrow case where there is a counter protest in the same place and there’s a risk of discrimination?
dbosk [13:20] Yes Hiding/blinding will not help against a global passive adv. Only when the witnesses has a side-channel.
Sonja B [13:41] only when the witness has a side channel and the gvt has no access to isp data
dbosk [13:41] Yes.
Sonja B [13:42] then I say this is very low priority
dbosk [13:42] I can agree to that :slightly_smiling_face:
tabled for now as there is no substantial benefit, see discussion. Perhaps we will come up with some at some point, then we can revisit.
This issue merges #29 and #30.
The $cid$ is static for a protest and represents a cause, \ie opinion, maybe government critical.
cid can (probably) be hidden by committing to cid and proving knowledge of the commitment and the computation of pid. Then the commitment can be opened when the proof is published.
Since the witnesses computes $wid = PRF_k(pid)$ they should not be trackable across different proofs, only "within" proofs. This should also follow from Camenisch (as above, #27).
[x] Difficulty of forging valid proofs without key? This should reduce to difficulty of cheating when proving correctness (ZKP and NIZKP).
[x] Forging designated event? This should reduce to difficulty of finding second preimages for the hash function.