Stefan Brands is contributing to the discussion of traceability, inkability and selective disclosure with a series of posts over at identity corner. He is one of the world's key innovators in the cryptography of unlinkability, so his participation is especially interesting.
Consider a user who self-generates several identity claims at different occassions, say â€œI am 25 years of ageâ€, â€œI am maleâ€, and â€œI am a citizen of Canadaâ€. The userâ€™s software packages these assertions into identity claims by means of attribute type/value pairs; for instance, claim 1 is encoded as â€œage = 25â€, claim 2 is â€œgender = 0â€, and claim 3 is â€œcitizenship = 1â€. Clearly, relying parties that receive these identity claims cannot trace them to their userâ€™s identity (whether that be represented in the form of a birth name, an SSN, or another identifier) by analyzing the presented claims; self-generated claims are untraceable. Similarly, they cannot decide whether or not different claims are presented by the same or by different users; self-generated claims are unlinkable.
Note that these two privacy properties (which are different but, as we will see in the next paragraph, complementary) hold â€œunconditionally;â€ no amount of computing power will enable relying parties to trace or link by analyzing incoming identity-data flows, not even if relying parties collude (indeed, they may be the same entity).
Now, consider the same self-generated identity claims, but this time their user â€œself-protectsâ€ them by means of a self-generated cryptographic key pair (e.g., a random RSA private key and its corresponding public key). The user digitally signs the identity claims with his private key; for example, claim 1 as presented to a relying party looks like â€œage = 25; PublicKey = 37AC986Bâ€¦; Signature = 21A4A5B6â€¦â€. Clearly, these self-protected claims are as untraceable as their unprotected cousins in the previous paragraph. Are they unlinkable? Well, that depends:
- If the user applies the same key pair to all claims, then the public key that is present in the presented messages will be the same; thus, all presented identity claims are linkable. As a result, a relying party that receives all three claims over time knows that it is dealing with a 25-year old Canadian male. As the user over time presents more linkable claims, this may indirectly lead to traceability; for example, the relying party may be able to infer the userâ€™s birth name once the user presents a linkable identity claim that states the postal code of his home address.
- If the user applies a different self-generated key pair to each identity claim, the three presented claims are as unlinkable and untraceable as in the example where no cryptographic data was appended. Note that this solution does notforce unlinkability and untraceability: in cases where the user should be identified, the user can simply provide a claim that specifies his name: â€œname=Jon Smithâ€ or â€œSSN-identifier=945278476â€, for instance. Similarly, to make self-generated identity claims linkable, an additional common attribute value can be encoded
This is a clear way to introduce the notion of how keys and signatures affect tracability and linkability of claims. However there is more to consider. Even if the user applies a different self-generated key pair for each of the three attributes discussed above, if the three attributes are transfered in a single transaction, they are still linked. The transaction itself links the attribute assertions. Convenyance of multiple claims is a very common case.
Similarly, if Stefan's three attributes are released during what can be considered to be the same session, they are linked, again regardless of the cryptography. And if they are released within a given time window from the same transport (IP) address, they should be considered linked too.
While cryptography is one factor contributing to linkability, we need to look at the protocol patterns and visibility they render possible as well. I'll be starting to do that in my next posting.