Separate protocols with trusted, untrusted witnesses

fig/proofshare-trusted.tikz

@@ -0,0 +1,53 @@
+\begin{tikzpicture}[%
+  -Latex,
+  item/.style={rectangle,draw},
+  edge from parent/.style={},
+  ]
+  \tikzset{%
+    %grow'=left,%
+    %level distance=5em%
+  }
+  \node[item] (proof) {$(\cid, \pid, \wid, t, l)$}
+  child {%
+    node[item] (pid) {$\pid$}
+    child {%
+      node[item] (cid) {$\cid$}
+      child {%
+        node[item] (manifesto) {$\mfst$}
+      }
+    }
+  }
+  child {%
+    node[item] (wid) {$\wid$}
+  }
+  child {%
+    node[item] (ts) {$t$}
+  }
+  child {%
+    node[item] (l) {$l$}
+  }
+  ;
+
+  \node[item,right of=proof,node distance=8em] (prfW) {$\prf_W$} ;
+
+  \path[every node/.style={font=\small}]
+  (cid) edge [out=north west,in=west] node [anchor=east] {$\in$} (proof)
+  (pid) edge node [anchor=south east] {$\in$} (proof)
+  (wid) edge node [anchor=east] {$\in$} (proof)
+  (ts) edge node [anchor=east] {$\in$} (proof)
+  (l) edge node [anchor=west] {$\in$} (proof)
+  ;
+
+  \path[every node/.style={font=\small}]
+  (manifesto) edge node [anchor=east] {$\Hash[\cdot]$} (cid)
+  (cid) edge node [anchor=west,rotate=-30]
+    {$\ACprf[_{\sk_P}][\cdot]$} (pid)
+  (pid) edge[bend right] node [anchor=160,rotate=-30]
+    {$\ACprf[_{\sk_W}][\cdot]$} (wid)
+  ;
+
+  \path[every node/.style={font=\small}]
+  (proof) edge [out=east,in=west] node {} (prfW)
+  ;
+
+\end{tikzpicture}

paper/.gitignore

@@ -10,6 +10,7 @@ location.bib
 main.pdf
 paper.pdf
 proofshare.tikz
+proofshare-trusted.tikz
 protests.bib
 sybil.bib
 tposet.tikz

paper/Makefile

@@ -11,12 +11,12 @@ main.pdf: preamble.tex preamble-paper.tex
 SRC+=	contents.tex
 SRC+=	abstract.tex
 SRC+=	intro.tex
-SRC+=	system-model.tex
 SRC+=	current-crowd-counting.tex
 SRC+= 	definitions.tex
 SRC+= 	protest-model.tex
 SRC+= 	security-properties.tex
 SRC+= 	adversary-model.tex 
+SRC+=	system-model.tex
 SRC+= 	building-blocks.tex
 SRC+= 	ZKPK.tex
 #SRC+= 	ZKPK-instantiations.tex
@@ -25,10 +25,11 @@ SRC+= 	anon-cred.tex
 SRC+= 	distance-bounding.tex
 #SRC+= 	DB-anon-cred.tex
 SRC+= 	timestamp.tex
-SRC+= 	protocol.tex
+SRC+= 	protocol-trusted.tex
+SRC+= 	protocol-untrusted.tex
 SRC+=	security-analysis.tex
-SRC+= 	verifiability-analysis.tex
-SRC+= 	privacy-analysis.tex
+SRC+= 		verifiability-analysis.tex
+SRC+= 		privacy-analysis.tex
 SRC+= 	performance.tex
 SRC+= 	related-work.tex
 SRC+= 	discussion.tex
@@ -39,8 +40,9 @@ SRC+= 	identity-limits.tex
 
 main.pdf: ${SRC}
 
-FIGS+= 				proofshare.tikz
+FIGS+= 				proofshare.tikz proofshare-trusted.tikz
 proofshare.tikz: 	../fig/proofshare.tikz
+proofshare-trusted.tikz: 	../fig/proofshare-trusted.tikz
 
 FIGS+= 				base-adversary.tikz
 base-adversary.tikz: ../fig/base-adversary.tikz

paper/building-blocks.tex

@@ -24,5 +24,7 @@ \section{Building blocks}%
 
 \input{distance-bounding.tex}
 
+\input{location-proofs.tex}
+
 \input{timestamp.tex}
 

paper/contents.tex

@@ -13,7 +13,8 @@
 \include*{definitions}
 \include*{building-blocks}
 %\include*{DB-anon-cred}
-\include*{protocol}
+\include*{protocol-trusted}
+\include*{protocol-untrusted}
 \include*{security-analysis}
 \include*{performance}
 \include*{related-work}
@@ -23,7 +24,6 @@
 \printbibliography{}
 
 \appendix
-\include*{location-proofs}
 %\include*{trust-assumptions}
 \include*{anon-cred-figures}
 %\include*{tamarin-spec}

paper/distance-bounding.tex

@@ -42,8 +42,9 @@ \subsection{Distance-bounding protocols}%
 Our setting requires a public-key \ac{DB} protocol with a \emph{malicious verifier} who will potentially try to \emph{impersonate the prover}.
 The verifier might also try to track the provers and map their identities to 
 their actions, thus we also require strong privacy.
-In fact, as the construction in \cref{Protocol} shows, we require \iac{DB} 
-\ac{ZKPK}, or simply \ac{PPK}, for discrete logarithms.
+In fact, as the construction in 
+\cref{untrusted-witnesses-protocol,trusted-witnesses-protocol} shows, we 
+require \iac{DB} \ac{ZKPK}, or simply \ac{PPK}, for discrete logarithms.
 For this paper, we assume the existence of such a protocol.
 There exists one such protocol in the literature, namely one by 
 \textcite{DB-Schnorr}, we refer to that paper for a detailed discussion.

paper/intro.tex

@@ -71,7 +71,9 @@ \section{Introduction}%
 %
 We present \CROCUS, a privacy-preserving crowd counting 
 %estimation 
-protocol in in \Cref{Protocol}, analyze its security in \cref{SecurityAnalysis}, and estimate its performance in \cref{PerformanceAnalysis}.
+protocol in in \cref{trusted-witnesses-protocol,untrusted-witnesses-protocol}, 
+analyze its security in \cref{SecurityAnalysis}, and estimate its performance 
+in \cref{PerformanceAnalysis}.
 We compare it to related work in \cref{related-work}.
 Finally, we discuss limitations and assumptions in \cref{Discussion} and give 
 our conclusions in \cref{Conclusion}.

paper/location-proofs.tex

@@ -0,0 +1,37 @@
+\subsection{Location proofs}
+\label{location-proofs}
+Some \acp{LBS} only grant access to resources to users located at a particular 
+location, thus raising the issue of verifying the position claimed by a 
+particular user.
+One possible way to counter this threat is by having the requesting device 
+formally prove that it really is at the claimed location, which gives rise to 
+the concept of \acp{LP}.
+In a nutshell, \iac{LP} is a digital certificate attesting that someone was at 
+a particular location at a specific moment in time.
+\Iac{LPS} is an architecture by which users can obtain \acp{LP} from 
+neighboring witnesses (\eg trusted access points or other users) that can later 
+be shown to verifiers who can check the validity of a particular 
+proof~\cite{luo2010veriplace,zhu2011applaus}.
+Most of the existing approaches to \acp{LP} require the prover and the 
+witnesses to disclose their identities, thus raising many privacy issues such 
+as the possibility of tracing the movements of users of the \ac{LPS}.
+However, some \acp{LPS}, such as PROPS~\cite{PROPS}, exist that provide strong 
+privacy guarantees along with the possibility of verifying the claim of the 
+location.
+
+%\CROCUS shares some similarities with PROPS, although their objective is quite 
+%different as it aims at verifying a global property of the population (\ie 
+%crowd estimation) in contrast to checking the location claim made by a user, 
+%which is an individual property.
+%
+%Another difference is that \CROCUS operates in a more adverse environment.
+%\CROCUS must provide \emph{universal verifiability}, this means that all proofs 
+%must be available to and verifiable by anyone.
+%One problem here is that we have multiple verifiers who might not trust the 
+%same witnesses.
+%The incentives to cheat are also bigger and consequently the thresholds for 
+%collusion are much higher.
+%
+\sonja{add something on platin.io, details unknown but roughly relying on 
+  witnesses and graph theory (unique big cluster, assumption of honest 
+  majority)}

paper/preamble.tex

@@ -112,11 +112,14 @@
 \NewAlgorithm{\CROCUSsetup}{Setup}
 \NewVariable{\pk}{pk}
 \NewVariable{\sk}{sk}
-\NewVariable{\spk}{spk}
-\NewVariable{\ssk}{ssk}
+\NewVariable{\CA}{CA}
+\NewVariable{\spk}{spk_\CA}
+\NewVariable{\ssk}{ssk_\CA}
+\NewVariable{\spkw}{spk_{\CA'}}
+\NewVariable{\sskw}{ssk_{\CA'}}
 \NewAlgorithm{\CROCUSreg}{Reg}
 \NewAlgorithm{\CROCUSjoin}{Join}
-\NewVariable{\mfst}{manifesto}
+\NewVariable{\mfst}{m}
 \NewAlgorithm{\CROCUSparticipate}{Prticip}
 \NewAlgorithm{\CROCUSwitness}{Witness}
 \NewAlgorithm{\CROCUSsubmit}{Submit}
@@ -149,7 +152,6 @@
 \NewAlgorithm{\PKverify}{PK.\!Verify}
 \NewAlgorithm{\SPKprove}{SPK.\!Prove}
 \NewAlgorithm{\SPKverify}{SPK.\!Verify}
-\NewVariable{\CA}{CA}
 \NewSet{\TT}{T}
 \NewSet{\LL}{L}