>> I'm not sure that I can map your description of the indistinguishability property onto my mental model, but your description of the "location indistinguishability" and "destination indistinguishability" made sense.
>>
>> This discussion might make sense as a preface to the discussion on assumptions. Can I request that you draft a few paragraphs that introduces the subject and how we're planning to apply it?
>
Here are two paragraphs that introduce the "indistinguishability"
notions and how we want to apply them. Let me know what you think:
Privacy properties (as well as security properties) are related to
notions of "indistinguishability". Given an attacker model, that
describes which information an attacker can access, a system is
privacy preserving (or secure) when the attacker can not recover
precise private information based on the observable information that
he can collect. He can not recover the precise information because he
is unable to distinguish several possible values of that information.
In our case, the attacker observes the results of the location
obscuring algorithm at given moments (for simplicity, we assume that
the attacker can autonomously choose those moments, asking the
location obscuring algorithm: "Where is now the target?"). Besides
this access to the algorithm, he may also have some further
information. The two basic situations are the following two: 1. the
target is in a certain location, at home or work or wherever, and the
attacker knows, for some reason, that "the target is in the same
location as before (or yesterday)" (he knows, "he in at home" or "he
is at work" 2. The target starts a movement (say, a journey) to a
remote location, but the attacker knows where the target started his
journey. In both cases, the attacker can ask "Where is now the
target?" and obtain a response from the obscuring algorithm.
For the first one, we call two points to be "indistinguishable as
locations", if an attacker can not infer from the outputs of the
algorithm any information about which of the two points is the
location of a static target. In particular, if the algorithm provides
the same distribution of responses for the two locations, those
locations are indistinguishable. For the second one, consider the
paths starting at one given point. Two points B1, B2 are
"indistinguishable as destinations" if for any path starting in a
point A and ending in B1 there is a path starting in a point A and
ending in B2, such that the attacker can not infer from the outputs of
the algorithm any information about which of the two paths the target
is travelling and in particular, which destination the target has
eventually arrived to.
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
