> Thanks Martin for the input. I would add to stationary and frequent
> destination:
>
> > Stationary assumption: An algorithm SHOULD obscure the location of a
> > stationary target. More specifically, when a target does not move, a
> > location recipient should be unable to determine the known location
> > using only the reported locations that are output from the algorithm.
> In particular, the algorithm SHOULD obscure the location even if the
> attacker knows the details of the protocol and is able to simulate it.
That's a more general constraint. As a general rule, security by obscurity doesn't work. I don't see that this is any different.
If you think that the text is useful, I'd add it as a later note.
> > Frequent destination assumption: An algorithm SHOULD obscure the
> > details of a frequently visited location or path. For a destination
> > that is regularly visited, the algorithm cannot provide the precise
> > location of the frequented location.
>
> > Any description SHOULD indicate whether the algorithm prevents a
> > recipient from identifying whether different reported locations
> > correspond to the same known location, and under what circumstances.
> In particular if the attacker knows the details of the protocol and is
> able to simulate it.
>
> And also I would add a new assumption:
>
> Indistinguishability assumption:
>
> We call two points "indistinguishable as locations" for an algorithm,
> if an attacker can not infer from the outputs of the algorithm any
> information about which of the two points is the location of a static
> target. In particular, if the algorithm provides the same response for
> two locations, those locations are indistinguishable. Similarly two
> points are called "indistinguishable as destinations" if an attacker
> can not infer from the outputs of the algorithm any information about
> which of the two points was the destination of a moving target. This
> is true in particular, if every path that ends in one of the two
> points can be extended to a path ending on the other point, without
> changing the outputs of the algorithm.
>
> Two points are in the same indistinguishability region if and only if
> they are indistinguishable as locations and destinations. An algorithm
> SHOULD provide a description of the indistinguishability regions it
> defines. A theoretical analysis of the size and shape of the
> indistinguishability regions of the algorithm is desirable.
That's a more verbose version of what I intended with the second paragraph. What you have described is something that is part of the solution space more than the goals. I considered having an additional assumption for indistinguishable locations, but it's not really related to an assumption that an recipient makes, more just a product of the algorithm.
>
> -- Jorge
>
> On Tue, Apr 12, 2011 at 3:23 AM, Thomson, Martin
> <Martin.Thomson@commscope.com> wrote:
> > With the idea that we want -geopriv-policy finished sometime this
> millennium, here's my first, rough attempt at describing constraints
> and goals for location obscuring.
> >
> > I'd sorely like to add additional goals that rely on topology,
> routing, or behavioral information. But, I'm afraid that we'll never
> get an algorithm deployed based on something that complex. All
> current indications are that such a method is necessary, but more
> research is necessary before anything concrete could be proposed.
> >
> > --Martin
> >
> > ----
> >
> > The purpose of a location obscuring algorithm is to provide a
> location recipient (LR) with location information of reduced quality.
> The intent is to provide an LR with location information that is
> correct, but insufficient to identify the known location without a
> chosen amount of uncertainty.
> >
> > The obscuring algorithm takes a series of _known locations_, which
> might have greater accuracy than the recipient is permitted to receive.
> The obscuring process produces a series of _reported locations_.
> >
> > Algorithm Constraints
> >
> > Each algorithm MUST be assigned a label. This label is used to
> identify the algorithm. Algorithm labels are added to the location
> obscuring algorithm registry (see Section x.x).
> >
> > The algorithm MUST accept known locations with uncertainty and
> produce reported locations with uncertainty that encloses the known
> location at that time. That is, the reported location is no less
> correct than the known location.
> >
> > Any obscuring algorithm MUST accept a single input parameter of a
> distance in meters. Any other tuning parameters for the algorithm
> MUST be fixed in the definition of the algorithm.
> >
> > Algorithm Goals
> >
> > In assessing any algorithm, the information that a recipient can
> recover determines how effective that algorithm is. When a recipient
> (or adversary) makes assumptions [Duckham05] about the movement of the
> target, they may be able to recover more information than is intended.
> >
> > The assumptions that a recipient is forced to make to recover
> information determines how effective an algorithm is. The more
> assumptions that are necessary, the more difficult it is to reliably
> recover the known location. While it cannot be assumed that the
> complexity of applying multiple assumptions would prevent a recipient
> from applying those assumptions, the probability that a given set of
> assumptions is incorrect increases with number.
> >
> > The following assumptions are considered important for the
> development of an algorithm that obscures location. These assumptions
> are considered to have a high probability of being correct and are
> therefore the most important assumptions to protect against.
> >
> > Stationary assumption:
> > An algorithm SHOULD obscure the location of a stationary
> target. More specifically, when a target does not move, a location
> recipient should be unable to determine the known location using only
> the reported locations that are output from the algorithm.
> >
> > Continuous movement assumption:
> > An algorithm SHOULD obscure the location of a moving target.
> More specifically, when a target moves, a location recipient should
> be unable to determine the known location of the target at any point
> in time using only the reported locations that are output from the
> algorithm.
> >
> > Frequent destination assumption:
> > An algorithm SHOULD obscure the details of a frequently
> visited location or path. For a destination that is regularly
> visited, the algorithm cannot provide the precise location of the
> frequented location.
> >
> > Any description SHOULD indicate whether the algorithm
> > prevents
> a recipient from identifying whether different reported locations
> correspond to the same known location, and under what circumstances.
> This would permit a recipient to learn that the same location is
> being visited, even if the identity of that location is obscured.
> >
> > High accuracy assumption:
> > An algorithm SHOULD obscure location when the known location
> has low uncertainty or a high frequency update rate. A theoretical
> analysis of the algorithm based on a continuous series of perfect
> known locations is desirable.
> >
> > An algorithm may also provide protection for the speed or velocity
> > of
> a target. It is desirable that the precise speed of a target cannot
> be easily learned. The following assumptions are also important in
> assessing an algorithm:
> >
> > Constant velocity assumption:
> > An algorithm SHOULD obscure the speed of a target under the
> assumption of constant velocity or constant speed along a predefined
> path (such as a road).
> >
> > Other assumptions that a location recipient might use to improve
> their ability to recover a known location might include: upper and
> lower bounds to speed or acceleration, constrained movement along
> specific thoroughfares, or inability to be located in areas that are
> designated inaccessible.
> >
> > Discussion of any additional assumptions that are either rendered
> ineffective or especially effective is useful in evaluating an
> algorithm.
> >
> > _______________________________________________
> > Geopriv mailing list
> > Geopriv@ietf.org
> > https://www.ietf.org/mailman/listinfo/geopriv
> >
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
