{"id":796,"date":"2007-06-04T19:04:32","date_gmt":"2007-06-05T03:04:32","guid":{"rendered":"\/?p=796"},"modified":"2007-07-17T22:07:14","modified_gmt":"2007-07-18T06:07:14","slug":"keys-signatures-and-linkability","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=796","title":{"rendered":"Keys, signatures and linkability"},"content":{"rendered":"<p>Stefan Brands&nbsp;is <a href=\"http:\/\/www.idcorner.org\/?p=151\" class=\"broken_link\">contributing <\/a>to&nbsp;the discussion of traceability, inkability and selective&nbsp;disclosure with a series of posts over at <a href=\"http:\/\/www.idcorner.org\" class=\"broken_link\">identity corner<\/a>.&nbsp; He is&nbsp;one of&nbsp;the world&#39;s key innovators in the cryptography of&nbsp;unlinkability, so his participation is especially interesting.&nbsp; &nbsp;<\/p>\n<blockquote><p>Consider a user who <em>self-generates<\/em> several identity claims at different occassions, say \u00e2\u20ac\u0153<em>I am 25 years of age<\/em>\u00e2\u20ac\u009d, \u00e2\u20ac\u0153<em>I am male<\/em>\u00e2\u20ac\u009d, and \u00e2\u20ac\u0153<em>I am a citizen of Canada<\/em>\u00e2\u20ac\u009d. The user\u00e2\u20ac\u2122s software packages these assertions into identity claims by means of attribute type\/value pairs; for instance, claim 1 is encoded as \u00e2\u20ac\u0153<em>age = 25<\/em>\u00e2\u20ac\u009d, claim 2 is \u00e2\u20ac\u0153<em>gender = 0<\/em>\u00e2\u20ac\u009d, and claim 3 is \u00e2\u20ac\u0153<em>citizenship = 1<\/em>\u00e2\u20ac\u009d. Clearly, relying parties that receive these identity claims cannot <em>trace<\/em> them to their user\u00e2\u20ac\u2122s identity (whether that be represented in the form of a birth name, an SSN, or another <em>identifier<\/em>) by analyzing the presented claims; self-generated claims are <em>untraceable<\/em>. Similarly, they cannot decide whether or not different claims are presented by the <em>same<\/em> or by <em>different<\/em> users; self-generated claims are <em>unlinkable<\/em>.<\/p>\n<p>Note that these two privacy properties (which are different but, as we will see in the next paragraph, complementary) hold \u00e2\u20ac\u0153unconditionally;\u00e2\u20ac\u009d no amount of computing power will enable relying parties to trace or link by analyzing incoming identity-data flows, not even if relying parties collude (indeed, they may be the same entity).<\/p>\n<p>Now, consider the same self-generated identity claims, but this time their user \u00e2\u20ac\u0153self-protects\u00e2\u20ac\u009d them by means of a self-generated cryptographic key pair (e.g., a random RSA private key and its corresponding public key). The user digitally signs the identity claims with his private key; for example, claim 1 as presented to a relying party looks like \u00e2\u20ac\u0153<em>age = 25; PublicKey = 37AC986B\u00e2\u20ac\u00a6; Signature = 21A4A5B6\u00e2\u20ac\u00a6<\/em>\u00e2\u20ac\u009d. Clearly, these self-protected claims are as <em>untraceable<\/em> as their unprotected cousins in the previous paragraph. Are they <em>unlinkable<\/em>? Well, that depends:<\/p>\n<ul>\n<li>If the user applies the same key pair to all claims, then the public key that is present in the presented messages will be the same; thus, all presented identity claims are <em>linkable<\/em>. As a result, a relying party that receives all three claims over time knows that it is dealing with a 25-year old Canadian male. As the user over time presents more linkable claims, this may <em>indirectly<\/em> lead to traceability; for example, the relying party may be able to infer the user\u00e2\u20ac\u2122s birth name once the user presents a linkable identity claim that states the postal code of his home address.<\/li>\n<li>If the user applies a <em>different<\/em> self-generated key pair to each identity claim, the three presented claims are as unlinkable and untraceable as in the example where no cryptographic data was appended. Note that this solution does <em>not<\/em>force unlinkability and untraceability: in cases where the user should be identified, the user can simply provide a claim that specifies his name: \u00e2\u20ac\u0153<em>name=Jon Smith<\/em>\u00e2\u20ac\u009d or \u00e2\u20ac\u0153<em>SSN-identifier=945278476<\/em>\u00e2\u20ac\u009d, for instance. Similarly, to make self-generated identity claims linkable, an additional common attribute value can be encoded<\/li>\n<\/ul>\n<\/blockquote>\n<p>This is a&nbsp;clear way to introduce the notion of how keys and signatures affect tracability and linkability of claims.&nbsp; However&nbsp;there is more to consider.&nbsp; Even if the user applies a different self-generated key pair for each of the three attributes discussed above,&nbsp; if the three attributes are transfered in a single transaction, they are still linked.&nbsp; The transaction itself links the attribute assertions.&nbsp; Convenyance of multiple claims is a very common case.<\/p>\n<p>Similarly,&nbsp;if&nbsp;Stefan&#39;s three attributes are released during what can be considered to be the same session, they are linked, again regardless of the cryptography.&nbsp; And if they are released within a given time window from the same transport (IP) address, they&nbsp;should be considered&nbsp;linked too.<\/p>\n<p>While cryptography is one factor contributing to linkability, we need to look at the protocol patterns and visibility they render possible as well.&nbsp; I&#39;ll be starting to do that in my next posting.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If attributes are released during what can be considered to be the same session, they are linked, regardless of cryptographic considerations&#8230;<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,47,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/796"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=796"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/796\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}