Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add privacy considerations section about decoy values. #155

Merged
merged 6 commits into from
Apr 6, 2024
Merged

Add privacy considerations section about decoy values. #155

Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e3128ad
Add privacy considerations section about decoy values.
msporny Mar 24, 2024
6c661b0
Adjust decoy language: holders->subjects.
msporny Mar 30, 2024
aada152
Warn about using too many decoys.
msporny Mar 30, 2024
efa14d9
Discourage decoys, except for bulk updates that reveal group size.
msporny Mar 30, 2024
5878089
Fix grammar around decoy value usage.
msporny Apr 6, 2024
331d95f
Update language to discourage use of decoy values.
msporny Apr 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1164,6 +1164,53 @@ <h3>Content Distribution Networks</h3>
</p>
</section>

<section class="informative">
<h3>Decoy Values</h3>

<p>
The use of decoy values in status lists by <a>issuers</a> has been explored as
a mechanism to increase the privacy of <a>subjects</a> by further hiding the
size of the group associated with a status list as well as when values in the
msporny marked this conversation as resolved.
Show resolved Hide resolved
list change. While algorithms for employing decoy values are out of scope for
this specification, implementers are advised to heed the guidance in this
section when considering the use of decoy values.
</p>
<p>
Decoys might help privacy in some cases, but harm privacy in others. For
example, if status list entry indexes are allocated in a purely random fashion,
msporny marked this conversation as resolved.
Show resolved Hide resolved
adding decoys harms privacy because it reduces the group privacy size by the
number of decoys added to the group. A purely random allocation of indexes
ensures that decoys are not necessary unless a bulk operation, such as setting
every credential issued in a list to the same status (such as "revoked"),
would reveal the true size of the group.
msporny marked this conversation as resolved.
Show resolved Hide resolved
</p>
<p>
If decoys are used, the proper number of decoys to use is a function that
includes at least the desired group privacy size, the randomness of the
msporny marked this conversation as resolved.
Show resolved Hide resolved
distribution of entries in the set, and ensuring that entities watching the list
cannot determine which entries are real and which ones are decoys as they change
throughout time. These variables often change based on the use case and
implementers are encouraged to carefully evaluate whether using decoys would
help or harm privacy for their particular scenario.
msporny marked this conversation as resolved.
Show resolved Hide resolved
</p>
<p>
When employing decoy values, it is important to ensure that the decoys
behave like real entries in the group. For example, if a decoy is used for
revocation, it would be strange to flip the decoy value to "unrevoked" when that
is not how the rest of the revocation values associated with real entries
behave. Similarly, changing the decoy values at times and numbers that do not
align with the way real entries behave can enable statistical analysis to
separate the real entries from the decoy entries.
msporny marked this conversation as resolved.
Show resolved Hide resolved
</p>
<p>
In general, the use of decoys is discouraged as, more often than not,
random allocation of status list entry indexes provides adequate protection
for most use cases. If bulk operations can be performed on a status list
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This first sentence is the main thing I agree with in this PR. Don't use decoys, trying to do it seems like you'll probably just end up harming privacy for little to no gain. The second sentence I can't really say I agree with at this point in time. I remain unconvinced by the text that decoys are a good idea in any circumstance when randomness is already employed. I guess if you can't do your index allocation randomly enough, decoys could be of some help, so I wouldn't block the PR on that basis -- but if there's consensus to remove mention of decoys entirely I'd prefer that.

It would be ideal for a "decoy advocate" to offer better text in support of their position; I understand we're trying to approximate here for something that is meant to be obvious but maybe it isn't so obvious in this circumstance. I understand the basic strategy and concept behind using decoys to hide real information in a system, but when this comes into contact with the group privacy problem and other potential solutions here -- I'm not sure it survives analysis. I'm happy to be wrong and would prefer to see the text making it clear to implementers when/why to use them, because that's what this section is for -- and I think a number of them would get a little lost here.

that would reveal the group size, only then might an implementer consider the
use of decoys.
msporny marked this conversation as resolved.
Show resolved Hide resolved
</p>
</section>

<section class="informative">
<h3>Malicious Issuers and Verifiers</h3>
<p>
Expand Down
Loading