[freehaven-dev] Notes: Terminology for anonymous communication systems

[Roger Dingledine <arma@mit.edu>]

Notes from talk by Andreas Pfitzmann 26 July 2000, Berkeley conference.

Part I: Anonymity

                       network
    senders    <->    (messages)    <->    recipients
                ^                    ^
             sender              recipient
            anonymity            anonymity

       ^\                                    /^
         \--------relationship anonymity----/ 
        (unlinkability of sender and recipient)


"message" == item of interest == "ioi"
"anonymity" == unlinkability of ioi and id

"anonymity set" == subset of senders or recipients
There is the notion of "measuring" an anonymity set, which introduces
things like 'distribution', 'probable', 'entropy measure'.

[Stubblebine brings up a complication: What is a message? Does
equal content => same message? Is just opening a connection a message?
Is no message a message? What about unlinkability between messages?]

"unobservability" = ioi protected as such
                    eg, not discernable from random noise

Thus there are notions of sender unobservability, recipient
unobservability, and perhaps relationship unobservability (Pfitzmann is
not sure if this last exists -- Syvester thinks it does).

Note that anonymity<unobservability.

sender anonymity implies relationship anonymity
recipient anonymity implies relationship anonymity

[Thomas brings up a complication: what about deniable encryption?
Proposes that it may be 'somewhere between anonymity and unobservability'.
Mfreed/arma propose that deniable encryption is weaker than anonymity,
since suspicion is potentially bad enough. Mfreed suggests that existence
and content may be distinct. Concensus seems to be that deniability
appears orthogonal to these issues.]

Some mechanisms to achieve these goals:
DCnet, Mix for sender->network
PIR, broadcast, mix return addresses for network->recipient
dummy traffic for sender or recipient unobservability
stego, spread spectrum for unobservability

Part II: Authenticity

                        network
    senders    <->    (pseudonyms)  <->    recipients

"pseudonym" == identifier of sender or recipient (or set of
senders or recipients)

linkability to ioi's: things that might be wanted by the owner:
* strong/provable linkability (eg via digital signatures)
* ability to test key -- *digital* pseudonym implies ability to
"test" (verify) messages relative to a pseudonym.

linkability to persons might be desirable

linkability to ioi's
  as seen by others (eg by near-same-time or by similar content).
  this aspect of linkability is not necessarily wanted by owner of
  pseudonym.

"attributes" can be learned about a pseudonym

Part III: Pseudonyms

                             Pseudonyms
                       _____/        \_____
                      /                    \
                     /                      \
            person pseudonyms          role pseudonyms
           /        |      \                |         \
          /         |       \               |          \
         /          |        \              |           \
     public     non-public    anonymous    (business-)   \
     person     person        person        relationship  Transaction
     pseudonym  pseudonym     pseudonyms    pseudonym     pseudonym
                (eg, bank     (eg,                        (different for
                 accounts     biometrics)                  each
                 or nyms in                                transaction)
                 Freedom)



      (id) <----------------------------------------------> (anonym)
                 (anonymity increases as we go right)


[Stubblebine adds "group signatures", eg "I live in California".
Perhaps this is related to Cardinality [what did I mean by writing
this?]]
[Marit proposes 'roles are people too -- single people'.]

PGP signature