|
| 1 | +\subsection{Adversary model}% |
| 2 | +\label{formal-adversary-model} |
| 3 | + |
| 4 | +We now provide a concretely defined system and adversary model. |
| 5 | +We give three definitions, each defines an adversary with increasingly stronger |
| 6 | +capabilities (\ie more auxiliary information). |
| 7 | + |
| 8 | +There are three players: the protest participant (with identity) \(P\), a |
| 9 | +witness (with identity) \(W\) and the storage \(S\). |
| 10 | +The adversary \(A\) controls \(W\) and \(S\). |
| 11 | +This is illustrated in \cref{fig:base-adversary}. |
| 12 | + |
| 13 | +\begin{figure} |
| 14 | + \centering |
| 15 | + \includegraphics{base-adversary.tikz} |
| 16 | + \caption{\label{fig:base-adversary}% |
| 17 | + An overview of the base adversary model. |
| 18 | + The protester with real identity \(P\) and witness with real identity \(W\) |
| 19 | + communicate. |
| 20 | + They exchange protocol data, \(d_{P,W}(\cid, P)\), and record the time it |
| 21 | + happened, \(t_{P,W}\). |
| 22 | + The protester submits \(f(d_{P,W}(\cid, P))\), for some function \(f\), to |
| 23 | + the storage \(S\), who records the time it happened, \(t_{P,S}\). |
| 24 | + Both the witness \(W\) and storage \(S\) are controlled by the adversary |
| 25 | + \(A\). |
| 26 | + } |
| 27 | +\end{figure} |
| 28 | + |
| 29 | +\begin{definition}[Base adversary]% |
| 30 | + \label{base-adversary} |
| 31 | + The protester \(P\) and the witness \(W\) communicate. |
| 32 | + Each learns only the protocol data \(d_{P,W}(\cid, P)\) and when the |
| 33 | + communication occurred \(t_{P,W}\)\footnote{% |
| 34 | + Specifically, they do \emph{not} learn the real identities \(P\) and \(W\) |
| 35 | + directly from the communication medium, only if those appear in the data |
| 36 | + \(d_{P,W}(\cid, P)\). |
| 37 | + }. |
| 38 | + The protester \(P\) communicates with \(S\), in which \(S\) only learns |
| 39 | + \(f(d_{P,W}(\cid, P))\), for some function \(f\), and the time of the |
| 40 | + communication (\(t_{P,S}\)) but not the real identities. |
| 41 | + The adversary controls \(W\) and \(S\) and thus learns everything that they |
| 42 | + do, but can additionally correlate what he learns from \(W\) and \(S\). |
| 43 | +\end{definition} |
| 44 | + |
| 45 | +The base adversary (\cref{base-adversary}) represents an adversary that has no |
| 46 | +access to auxiliary information, \eg inferences that can be done from the |
| 47 | +communication layer, which means that it has only the protocol data at its |
| 48 | +disposal. |
| 49 | + |
| 50 | +We find \cref{base-adversary} suitable when the protester and witness both move |
| 51 | +in a crowd and there is no way for the witness to decide exactly with whom he |
| 52 | +or she communicates with. |
| 53 | +However, in some situations this might not be the case: \Eg if the crowd is not |
| 54 | +dense the witness will likely see the face of the protester. |
| 55 | +If the witness is controlled by the adversary, then it is likely that the |
| 56 | +witness can capture a picture of the face, which can be turned into an identity |
| 57 | +through face recognition. |
| 58 | +There are various such scenarios leading to the adversary learning the |
| 59 | +protester's identity, we capture this by the following definition. |
| 60 | + |
| 61 | +\begin{definition}[Deanonymizing-witness adversary]% |
| 62 | + \label{deanonymizing-witness-adversary} |
| 63 | + The situation is the same as in \cref{base-adversary}, but now the witness |
| 64 | + \(W\) learns the protester \(P\)'s identity from an auxiliary channel. |
| 65 | + (\(P\) will also learn \(W\)'s identity.) |
| 66 | + However, \(S\) still does not learn \(P\)'s identity. |
| 67 | +\end{definition} |
| 68 | + |
| 69 | +\daniel{The deanonymizing witness captures: a1, a4, a5. (See Simon's notes on |
| 70 | + Slack.)} |
| 71 | + |
| 72 | +One reason to not allow \(S\) to learn \(P\)'s identity is that for this communication \(P\) has options, such as Tor~\cite{Tor}, for anonymous communication. |
| 73 | +However, given a strong enough adversary, such anonymous communication might not be possible. |
| 74 | +We capture such a strong adversary in the following definition. |
| 75 | + |
| 76 | +\begin{definition}[Deanonymizing adversary]% |
| 77 | + \label{deanonymizing-adversary} |
| 78 | + Everything is the same as in \cref{deanonymizing-witness-adversary}, except |
| 79 | + that now \(S\) also learns \(P\)'s identity from an auxiliary channel. |
| 80 | +\end{definition} |
| 81 | + |
| 82 | +\daniel{The deanonymizing adversary additionally captures: a2, a3 (\ie a1, a2, |
| 83 | + a3, a4, a5).} |
0 commit comments