Privacy properties

[dbosk]

This issue merges #29 and #30.

• [x] Unlinkability: Given cid and pid, Grace cannot distinguish if pid was computed on cid by Alice or Bob. This follows from Camenisch's paper (see #27 ).

The $cid$ is static for a protest and represents a cause, \ie opinion, maybe government critical.

• [ ] Hide $cid$. If the $cid$ is not hidden, the government can attend the protest and arrest everyone supporting $cid$. Also, witnesses might discriminate against participants with $cid$s they disapprove of. E.g. a small minority can never reach the threshold in the trustless scenario. So we should hide $cid$.

cid can (probably) be hidden by committing to cid and proving knowledge of the commitment and the computation of pid. Then the commitment can be opened when the proof is published.

• [ ] Blind $pid$. Since the pseudonym $pid$ is static for a participant during a protest and after. Each witness can map a person (e.g. take a photo) to the $pid$. When the associated $cid$ is revealed in the submission step, the government can again find the $pid--cid$ relation, and thus map persons (phots) to $cid$s. Thus we must blind $pid$ for the witnesses and then unblind $pid$ (and $wid$, $wsig$) in the verification phase, then we achieve unlinkability.

Since the witnesses computes $wid = PRF_k(pid)$ they should not be trackable across different proofs, only "within" proofs. This should also follow from Camenisch (as above, #27).

• [x] Difficulty of forging valid proofs without key? This should reduce to difficulty of cheating when proving correctness (ZKP and NIZKP).

• [x] Forging designated event? This should reduce to difficulty of finding second preimages for the hash function.

[dbosk]

Basically we want unlinkability between \cid and Alice's real identity.

[dbosk]

Sonja B [12:37] I still don’t see how hiding/blinding helps against A2. If they have side information about your identity and you upload something to the blockchain, then they get you because you can’t hide the cid on upload if you want to count

dbosk [12:38] They cannot have side-info on both sides. If they have side-info on both sides we're screwed. But we can do with one of them if we hide/blind, because then they cannot correlate. Well, the storage must not know the identity. Ah, yes, we probably cannot do A2.

Sonja B [12:40] if they only have the side info on the network, then they don’t know whether you’re a participant or a witness, but that you were there because otherwise you would not upload anything containing cid

dbosk [12:40] As it's phrased. Correct. We should rename it to global passive adversary And then point out in the discussion that a nation state is equivalent to a global passive adv in this situation.

Sonja B [13:18] So would it make sense to say that a2 is essentially a global passive adv and it’s too strong a requirement to resist that before the paper can be published? This is what I was getting at with my mail yesterday.

dbosk [13:18] Yes, I think so.

Sonja B [13:19] And, are we now on the same page that hiding/blinding doesn’t really help other than in the narrow case where there is a counter protest in the same place and there’s a risk of discrimination?

dbosk [13:20] Yes Hiding/blinding will not help against a global passive adv. Only when the witnesses has a side-channel.

Sonja B [13:41] only when the witness has a side channel and the gvt has no access to isp data

dbosk [13:41] Yes.

Sonja B [13:42] then I say this is very low priority

dbosk [13:42] I can agree to that :slightly_smiling_face:

[sbuc]

tabled for now as there is no substantial benefit, see discussion. Perhaps we will come up with some at some point, then we can revisit.