I had some trouble following the exposition in your text. I actually found your original explanation clearer.
Here's my explanation:
>>>
An algorithm takes sensitive information (the known location) and produces less sensitive information (the reported location).
The goal of the adversary or attacker is to derive information about the known location from the reported location. In order to do this, the adversary makes assumptions.
An algorithm that does not force an adversary to make any assumptions to recover the known location cannot be used.
The goal of the obscuring algorithm is to limit the ability of an adversary to recover the known location. An obscuring algorithm is measured by how effectively it deals with an adversary who makes different assumptions. Since each assumption an adversary makes has a change of being wrong, better algorithms force an adversary to make a greater number or less reliable assumptions in order to discover the known location.
<<<
You've taken a different approach, namely that of looking to the indistinguishability property for support in analysis. As I said earlier, that's a useful tool in analyzing the algorithm. We certainly should analyze from different perspectives. But I think that your criteria need to be much clearer.
I also think that what you are introducing is a new concept, distinct but related to ciphertext indistinguishability. In more traditional cryptosystems, the result space is such that for any input, the probability of any value in the result space is equal (assuming a well selected key). That is, if my cipher produces values in the range from 1 to 10, then without knowing the key, I can't predict the output of the cipher with any better than 10% probability (or negligibly more at best).
Location is different. For a given input, I can know beforehand the set of possible outputs to the algorithm. That changes the rules. You can't apply the ciphertext indistinguishability test directly. You have to set the preconditions of your test very carefully. And I don't think that your text does that.
It's also different in the sense that we're not attempting to completely hide information. A traditional cipher attempts to ensure that the plaintext is practically unrecoverable. We are attempting something that doesn't have exactly the same properties. The "ciphertext" resembles the "plaintext" to a certain extent, which is a property a traditional cipher must not exhibit.
I can't think of a way to describe this new concept without starting from first principles. I tried several ways of defining the concept, but I couldn't come up with anything sufficiently clear.
--Martin
On 2011-05-16 at 01:09:46, Jorge Cuellar wrote:
> On Wed, May 4, 2011 at 8:19 PM, Jorge Cuellar
> <jrcuellarj@googlemail.com> wrote:
> >> I'm not sure that I can map your description of the
> indistinguishability property onto my mental model, but your
> description of the "location indistinguishability" and "destination
> indistinguishability" made sense.
> >>
> >> This discussion might make sense as a preface to the discussion on
> assumptions. Can I request that you draft a few paragraphs that
> introduces the subject and how we're planning to apply it?
> >
> Here are two paragraphs that introduce the "indistinguishability"
> notions and how we want to apply them. Let me know what you think:
>
> Privacy properties (as well as security properties) are related to
> notions of "indistinguishability". Given an attacker model, that
> describes which information an attacker can access, a system is
> privacy preserving (or secure) when the attacker can not recover
> precise private information based on the observable information that
> he can collect. He can not recover the precise information because he
> is unable to distinguish several possible values of that information.
> In our case, the attacker observes the results of the location
> obscuring algorithm at given moments (for simplicity, we assume that
> the attacker can autonomously choose those moments, asking the
> location obscuring algorithm: "Where is now the target?"). Besides
> this access to the algorithm, he may also have some further
> information. The two basic situations are the following two: 1. the
> target is in a certain location, at home or work or wherever, and the
> attacker knows, for some reason, that "the target is in the same
> location as before (or yesterday)" (he knows, "he in at home" or "he
> is at work" 2. The target starts a movement (say, a journey) to a
> remote location, but the attacker knows where the target started his
> journey. In both cases, the attacker can ask "Where is now the
> target?" and obtain a response from the obscuring algorithm.
>
> For the first one, we call two points to be "indistinguishable as
> locations", if an attacker can not infer from the outputs of the
> algorithm any information about which of the two points is the
> location of a static target. In particular, if the algorithm provides
> the same distribution of responses for the two locations, those
> locations are indistinguishable. For the second one, consider the
> paths starting at one given point. Two points B1, B2 are
> "indistinguishable as destinations" if for any path starting in a
> point A and ending in B1 there is a path starting in a point A and
> ending in B2, such that the attacker can not infer from the outputs of
> the algorithm any information about which of the two paths the target
> is travelling and in particular, which destination the target has eventually arrived to.
_______________________________________________
Geopriv mailing list
Geopriv@ietf.org
https://www.ietf.org/mailman/listinfo/geopriv
