Enhancing Privacy Through DMMA: Decision-Making Method for Authentication

Attribute-Based Authentication (ABA) is becoming more prevalent in everyday interactions. In this paper, we propose the Decision-Making Method for Authentication (DMMA) to address the privacy concerns in ABA. The need for DMMA is supported through multiple observations. First, in practice, the indistinguishability of crypto-proof-based assertions (that are posessed by different users) fails with non-zero probability. This explains why cryptographic means alone are insufficient to provide a substantial level of unlinkability in ABA systems with n users. Second, each user in ABA possesses multiple credentials: they can be used interchangeably to get access to the service(s) which is provided by a relying party (RP). DMMA addresses the challenge of interchangeable usage. As an initial step, we synthesized the criterion of unlinkability: it is based on the definitions of international standard ISO 27551 as well as the information theoretic measure of conditional entropy. We then use that criterion to formalize the task of authentication as a non-cooperative coordination game. In this game, players (targets of the attack) maximize their utilities by using their assertions interchangeably. The experiment demonstrates that a number of equilibria with substantially higher unlinkability can be achieved. Unlinkability vary depending on: i) the information (and its trustworthiness) about the moves of the other players in the game; ii) the statistical distribution of user attributes. DMMA demonstrates how users may be provided recommendations over the optimal selection of assertions for ABA. These recommendations can have a practical impact if DMMA is implemented as a feature within Digital Credential Wallets (DCWs).


I. INTRODUCTION
Verifiable digital credentials play a vital role in everyday transactions [1], [2]. They include digital certificates, tokens, signed documents and personal credentials. One of the primary benefits of such credentials is their suitability for usercentric Identity and Access Management (IAM): once being cryptographically signed by a trusted issuer, a user can manage them. The latter can derive assertions (realizations) from these credentials and submit them to a Relying Party (RP) without any assistance from an Identity Provider (IdP). Attribute-based authentication (ABA) is a special case of user-centric IAM where the claims within credentials consider various user attributes, e.g. age and name. ABA allows preserving privacy better if access policies set by an RP are known to a user. For instance, the owner can selectively disclose information that is necessary for an RP and hide valuable Personally Identifiable Information (PII). This obfuscation often contrasts with the position of an RP, who may wish to obtain additional information (e.g. in the form of metadata) with the aim to increase the trustworthiness of the assertions. Such demand for detail from an RP makes user anonymity hardly achievable in practice.

A. Current privacy trends in ABA
A number of prominent cryptographic solutions have been proposed in the past including Idemix, U-Prove, Privacypreserving Attribute-Based Credentials [3]- [5]. Unfortunately, these technical solutions have not become mainstream due to reasons such as the substantial computational complexity and reliance on a trusted third party [6].
In order to mitigate some of these issues, there has been significant effort in developing the latest standards and specifications for verifiable digital assertions such as IRMA and Verifiable Credentials [2], [7]. They allow users to perform selective disclosure of the information related to the subject of the assertion (e.g. claim). This can be done using zero knowledge proofs (ZKP) as an approach that proves a secret without revealing it [8]. However, these techniques do not permit users to control all the components of digital assertions, which may cause situations where users are still discriminated by an RP based on the differences in assertion metadata, for instance [9], [10]. This implies that unlinkability in ABA may be impeded because absolute indistinguishability of user assertions is unattainable. To improve user privacy under such limitation, we consider an alternative game-theoretical approach in this paper.

B. Scope of the paper and contribution
In this paper, we aim to enhance user privacy in ABA through Decision Making Method for Authentication (DMMA). We demonstrate the necessary evidence based on: (a) context of ABA system with the threat model where Attribute Provider (AP) and RP collude with the aim to link authentication events of a user (U); (b) the new assumption that access policy established by an RP can be satisfied with any one of 2 assertions possessed by U; (c) strategy (methodology) that includes unlinkability definitions and tests from ISO/IEC DIS 27551, information theory to formalize test criterion using conditional entropy, and game theory to find equilibria in non-cooperative coordination games (which we call naïve and tenable) with incomplete information which are played by n players (e.g. users) in ABA system. Naïve and tenable games differ due to the information that is available to the players. As a result of applying methodology listed in item (c) we contribute to the existing research in privacy of authentication systems with: • new utility for unlinkability that is derived from the information-theoretic criterion; • new model (DMMA), which defines optimal strategies for n players as well as corresponding equilibria in the games. DMMA demonstrates that in the system of n users who authenticate to the same RP, realizations should be used interchangeably. This is arguably the first non-cryptographic attempt to improve user privacy using such 'multi-attribute' assumptions by applying game-theoretic techniques. In the experimental part of the paper we demonstrate the evidence of 'enhancing user unlinkability in ABA' by testing the proposed DMMA.

C. Roadmap
The paper is structured as follows. Section II contains preliminaries and simplified illustrations for a game-theoretical approach to the problem of unlinkability. Section III provides theoretic results that explain why conditional entropy should be used to express RP's "guessing" performance (as per listing 1) followed by the Decision-Making Method for Authentication (DMMA) which is based on two different noncooperative coordination games with incomplete information which we dub 'naïve' and 'tenable', respectively. Here we discuss possible distributions of the attributes owned by the players as well as the availability of common information about decisions made by the users in the game. In section IV, we conduct computational experimentation on the properties of DMMA intending to find various equilibria that demonstrate the privacy advantages of rational interchangeable attribute usage. Next, we discuss the key results of our study in section V. In section VI, we revise the work of other authors that is related to our study. We finally conclude by highlighting the main contributions in section VII.

II. PRELIMINARIES
The interactions between a user (U), the attribute provider (AP) and the relying party (RP) are anayzed in the context of '(RP-AP-U)-model' for ABA that is defined in [11]. We will further interpret the letter 'U' as a specific user, such as Alice or Bob. Multiple authentication credentials are controlled by Alice and Bob who engage in a digital transaction with an RP. This need for multi-attribute usage is supported by numerous examples from practice including multiple certificates issued to the same entity by different Certificate Authorities (CA) as well as multiple digital credentials (such as driver license, passport, club membership) issued by various official sources [9], [12]. We focus on the scenario where every user possesses two different credentials. Credentials are supplied by the AP with whom a user must first register. A user will then utilize obtained credentials to prepare various assertions (e.g. realizations, proofs) to present to the RP. Privacy-preserving techniques, such as selective disclosure and/or ZKP, are usually used for realization.
Some of the resulting realizations may be identical for both Alice and Bob such that RP can not differentiate them. On the other hand, some others can be easily differentiated because the credentials they were derived from may originate from different authoritative sources (e.g. driver license and club membership). Alice and Bob's task is to coordinate usage of indistinguishable realizations to achieve a better degree of privacy expressed via criterion for unlinkability (see definition 2 and listing 1). To conserve space, we do not discuss details of the format and process of preparation for the presentations supplied by the AP while assuming that our results are equally applicable to VC and IRMA [2], [7], [8].

A. Simplified model for 2-player game
A simplified illustration of the concept of interchangeable usage of realizations for authentication purposes is depicted in fig. 1. Alice and Bob authenticate to RP using both of their realizations α and β that must satisfy policy P set by RP. α and β can be, for instance, derived from digital credentials such as driver license and club membership, respectively. In this example, realizations of the same category (e.g. from driver license) can not be distinguished by RP because of selective disclosure and ZKP used during authentication. Therefore 'α submitted by Alice' and 'α submitted by Bob' can not be differentiated by RP [2], [8]. Conversely, realizations from different categories (e.g. α versus β) can be well-distinguished by RP who plays an adversarial role in the model and tries to 'link' all the authentication events initiated by the same user.
RP observes 16 authentication events over some time t (see fig. 1) out of which 6 events were initiated by Alice (A) and 10 events were initiated by Bob (B). Hence, for any non-attributed event observed by RP, probability that it is initiated by A is Pr(A) = 6 16 = 0.375. Probability that the event is initiated by B is Pr(B) = 10 16 = 0.625. Intuitively, the users could modify initial marginal distribution so that Pr(A) = Pr(B) to achieve better privacy. In practice, the users' needs in the service provided by RP dictate Pr(A) and Pr(B). These needs usually supersede the need to remain private and, hence, Pr(A) and Pr(B) must be accepted unaltered [13].
In addition to the information about marginal distribution, RP does observe attributes and differentiates between α and β. As a result, a more refined characteristics that is utilized by RP in his analysis includes Pr A | α , Pr A | β , Pr B | α , Pr B | β . This in turn depends on the decisions made by we conclude that RP infers that Pr (α) = 11 16 , Pr (β) = 5 16 , We further interpret the privacy meaning of such decisions based on statistical characteristics available to RP.

B. Privacy threats and performance in the game
Anonymity is the strongest notion of privacy. International standard ISO/IEC DIS 27551 'Requirements for attributebased unlinkable entity authentication' describes various notions of unlinkability that can be used to express degrees of anonymity achievable in authentication systems [11], [14]. A generic definition of unlinkability refers to the inability to link authentication protocol executions.
Definition 1 (Linking). Is the ability for an entity or a group of colluding entities to distinguish protocol executions where an entity role is played by the same entity, from protocol executions where that entity role is played by different entities.
Assumptions about protocol correctness and unforgeability are made in ISO/IEC DIS 27551. As such, we make similar assumptions to define performance in the game where all the authentication events are instances of protocol execution. Among all the unlinkability definitions in this standard 'RP+AP-U unlinkability' is characterized by Unlinkability Level (UL) 5 which corresponds to the highest degree of anonymity [11].
Definition 2 (RP+AP-U unlinkability). Is the unlinkability in the system where adversary can observe, actively intercept and modify exchanged messages and additionally plays the role of both RP and AP. The target entity role is U.
The standardization procedure designates a test to decide whether 'inability to link' is met (see listing 1). We further regard that entities U 0 and U 1 in the test are played by Alice and Bob, respectively, from the game on fig. 1. Among the major similarities between the game and the test are: (i) realizations α, β in the game cohere with the set of attributes that satisfy access policy P in the test; (ii) authentication events (protocol executions) repeat over time; (iii) performance is measured based on the conditional probability of correct guess (made by RP) given the value of realization/attribute. In spite of these similarities the test in ISO/IEC DIS 27551 does not allow to evaluate the performance for the game. This is because the test: (a) demands that Pr(A) = Pr(B) = 0.5 which is not always satisfied on practice; (b) details of 'guessing' procedure (line 7, listing 1) remain unclear. As a result, Alice and Bob require additional concepts to produce best responses in the game. Conditional Entropy is one of the concepts that accords with the introduced game and RP+AP-U unlinkability test. Although numerous information-theoretic measures have been applied to unlinkability in the past, we are the first to demonstrate how conditional entropy limits RP's 'guessing' efficiency (line 7, listing 1) [11]. This makes it suitable to measure performance in the game such that players can directly derive their utilities from it. For example, according to the RP's inference from fig. 1 the resulting conditional entropy is 0.7915. This value can be substantially increased if, for instance, Alice does not change her decisions while Bob plays Pr α | B = 0.5 and Pr β | B = 0.5. Based on that RP would infer that Pr(α) = 0.5, Pr(β) = 0.5, Pr A | α = Pr A | β = 0.375, Pr B | α = Pr B | β = 0.625 which results in conditional entropy as high as 0.9544. As can be seen, this requires coordination between Alice and Bob because, for instance, Bob's decision depends on the one produced by Alice. In extreme cases of miscoordination between players, conditional entropy is 0, meaning that RP can link them with absolute success. This happens if, for example, Alice plays Pr α | A = 1 and Bob plays Pr β | B = 1.
To coordinate, players should know the attributes of each other and the decisions made by their counterparts. This information may be non-deterministic and expressed in the form of priors or beliefs. Hence, the rest of the paper will attempt to answer the following Research Question (RQ): How can a user improve unlinkability in ABA systems when multiple-credentials are held by that user?

III. DECISION-MAKING METHOD FOR AUTHENTICATION
In this section, we provide further details pertaining to the Decision Making Method for Authentication (DMMA). For the main notations used in this paper see table I. We first demonstrate that conditional entropy is appropriate to express attacker's performance in linking authentication events to Alice and Bob. This will be used to derive players' utilities in the game. Then, we analyze the details of refined 2-player model where Alice and Bob aim at maximizing conditional entropy through coordination in various game-theoretic scenarios.
Set of indices of the players.
Categories of attribute realizations.
Random attributes of player i Set of all continuous strategies for the players.
Bayesian game over the sets I, T , S, ℵ, , u.
Expected value n ≥ 2 Number of players in the game

A. Relation between unlinkability and conditional entropy
Based on the 2-player example provided in the previous section, we label Alice and Bob using labels L = A, B (random variable L ∈ L denoting either A or B), respectively. The set of Alice's and Bob's attributes will be denoted as = α, β (random variable l ∈ denoting either α or β), respectively. We then argue that irrespective of the linking method deployed by RP, conditional entropy H L | l can be used to characterize the best performance achievable by that linking method. This is supported by the following lemma as well as can be observed from Receiver Operating Characteristics (   C users A and B could coordinate with one another. However, questions surrounding how this coordination is carried out still remains. Therefore, we will proceed to gradually refine the initial model introduced on fig. 1 to ensure that this is addressed. Substantial simplification for that initial model is achieved due to assumptions that: (i) both Alice and Bob use the same set of attributes = α, β ; and (ii) the information Pr α | B , Pr β | B is known to Alice, and information Pr α | A , Pr β | A is known to Bob. We will further elaborate on this issue by analyzing a refined model.

B. The need to refine 2-player model
In real-world authentication systems, credentials are predominantly passed along with additional metadata that makes it possible to discriminate users even when the same type of credential is used. For example, although a driving license is a credential that may prove specific user's claims, it also contains metadata on what state issued it [9]. To illustrate, we present the following example: a driving license is an attribute α as per the previous diagram (see fig. 1), but state metadata makes distinguishable driver licenses issued by different states. Therefore, we will also distinguish different realizations α 1 and α 2 that both belong to a more general category 'driver licenses' (further A). These differences dictate the need to refine the model: we will use extend set of attributes. On practice, each user may possess only a subset within .
We We then demand that Alice and Bob possess one realization from each category. Random variables α (1) , α (2) for Alice and Bob, respectively, take realizations from A. In a similar way β (1) , β (2) take realizations from B. Different kinds of decisions are made by player i in ABA which is summarized on fig. 3.

C. Decision making framework for ABA
In realistic settings, player i relies on information that needs to be collected from different sources. The player may place different levels of trust into these sources. For example, in ABA systems with n ≥ 2 users information on 'how often users authenticate to RP' may be available in the form of distribution, ∀i Pr(i). This can be attained from different surveys, e.g. asking 'how often do you authenticate to digital platform X ?'. Also, information about categories A, B, ... of realizations (assertions) and how these realizations are distributed among the users (joint distribution ℵ further), can be obtained based on the issuance (e.g. APs practices) and acquisition of these realizations by the users (e.g. adoption). All the mentioned information is verifiable (through census or other public statistics) and can be trusted. On the diagram (see fig. 3  If players do not communicate with each other, they may rely on the information that is gathered at RP side. RP should not be involved in the dissemination of this information because he is the potential adversary in 'RP-AP-U' model. Instead, this statistics can be distributed to the users by an independent mediator who runs a proxy. As such, users willing to receive information also need to authenticate through that proxy. The construction of such scheme, nevertheless, goes beyond the scope of our paper. We assume that players obtain vector ϑ S of 'marginal probabilities at RP'. This is the information about collective effect of interchangeable usage of realizations. For example, from fig. 1 where Pr S (α) = 11 16 and Pr S (β) = 5 16 . This example exhibits the situation when ϑ S is known to the players with certainty. Alternatively, this knowledge may be in the form of priors (e.g. some probabilistic distribution ϕ) over ϑ S . The information about ϑ S , ϕ has a different level of trust because it is provided by the mediator: on fig. 3 it is denoted as 'trust II'.
Based on the information that is collected by i from the described sources she makes 'decision I' as to which variant of the game to play: it is either 'naïve' or 'tenable' game. Within each game player i makes 'decision II': she defines Pr α (i) | i and Pr β (i) | i . Decision II is based on best response principle and must be consistent with the information provided to the players. Tenable game utilizes 'worst case' (maximin) scenario to estimate ϑ S , ϕ : this technique can be applied even if 'trust II' is absent [15], [16]. In contrast, naïve game requires trust II to use ϑ S , ϕ that are provided by mediator. Consistency is a necessary condition for trust II in that game: without consistency trust is impossible. We discuss advantages and limitations of naïve and tenable games without providing any recommendations as to how decision I should be made. The following Decision-Making Method for Authentication (DMMA) embodies flow of the diagram on fig. 3 and supports decision making in ABA: and go to step 6; else go to step 5; 5) i estimates if g == T terminate else go to step 7; 7) if information at step 2 is inconsistent with the best responses of all n assign g := T and go to step 4; else terminate. Further we will analyze games with incomplete information that are suitable for the method. For example, we will: a) demonstrate why step 5 is important for Bayesian and Mediated games; b) explain expression for best response in step 6 using H L | l ; c) formalize consistency requirement in step 7; d) explain how to obtain α (i) , β (i) in step 4.

D. Applying games with incomplete information
In order to encompass uncertainty (incomplete information) that Alice and Bob have about the decisions of each other we consider the following game-theoretical approaches with incomplete information including Bayesian, Mediated and Maximin games.
1) Bayesian game: 1 The game depicted on fig. 1 is of complete information, which is impractical for authentication systems where players do not share with each other information about their attributes and decisions. This can be addressed by a variant of Bayesian game where information about characteristics of the players is represented in the form of beliefs (or priors) which are defined using statistical distributions.
Let us consider the following game = I, T , S, ℵ, , u . We will use set T = {T 1 , T 2 } of random vectors T 1 = α (1) , β (1) , T 2 = α (2) , β (2) which represent the type 1 For the main notations see table I of each player. Realization of type T 1 is known to Alice, and realization of type T 2 is known to Bob. However, T 1 appears random to Bob, and T 2 appears random to Alice. We describe these random vector realizations using discrete joint probability mass function (pmf) ℵ : A × B → [0, 1] where Pr α (i) = α ι , β (i) = β ρ = ℵ ι,ρ , and i ∈ I; ι ∈ 1, ..., |A| , ρ ∈ 1, ..., |B| (see ℵ on fig. 4). We use S = {s 1 , s 2 }, s 1 = Pr α (1) | A and s 2 = Pr α (2) | B to describe decisions (in pure continuous strategies) of Alice and Bob, respectively. Because s 1 is random for Bob and s 2 is random for Alice we use continuous probability density function (pdf) 1], to describe decision of (all) other player(s) −i whose type(s) is/are T −i . We also consider that information carried out by ℵ and T−i is symmetric for Alice and Bob. Finally, we define the vector u : S → R |I| of utilities for the players in the game where component u i specifies the utility of i. Based on T 1 , s 1 , ℵ, T−i , player Alice calculates her expected utility E ℵ, T −i u 1 .

Definition 4 (Bayes Nash Equilibrium -BNE).
It is the condition of the game where every i plays s b i . The state of equilibrium is a stable (e.g. long-lasting) state. As such, characteristics of authentication systems, including its unlinkability can be estimated in this state. Due to this, we analyze equilibria states only. Multiple equilibria (where T−i may differ) can exist in the game and one of the main criticisms of Bayesian games is the necessity to synchronize information about T−i across all the players (unlike ℵ which is defined by AP, is known to the players, and remains unchanged). This can be addressed in mediated games.
2) Mediated game: In a mediated game, synchronization can be achieved if information that is sufficient for calculation of best response is directly provided to the players. This contrasts with the Bayesian game where i requires priors (or beliefs) about decisions of −i players.
Intuition for a mediation game can be explained in the following 3 steps: (1) As a result of players executing their decisions S, RP observes the set of realizations P S ⊆ P S where P S = α (1) , α (2) , β (1) , β (2) , P S ⊆ . Cardinality of P S satisfies 1 ≤ P S ≤ 4, depending on the number of attributes that are used by Alice and Bob as well as the number of realization of these attributes that match. For example, when both Alice and Bob use their realizations interchangeably (e.g. each player uses 2 attributes), and none of their realizations match, the cardinality of P S is 4. However, if the players use the same realization (across all of their authentication sessions) the cardinality of P S is 1.
(2) We define marginal probabilities at RP (subscript S) such that, for instance, Pr S α (1) is the probability that a random authentication event at RP is executed using realizations which is indistinguishable from realization of α (1) . Players may also have beliefs about random probability vectors (3) We then introduce Mediator (M for short) who provides information about these beliefs to the players (e.g. synchronizes ϕ among them). This information, for instance, can also be in the form of compact statistical characteristic, such as expectation E ϕ [ϑ S ] (see fig. 4). Later it will be demonstrated (for n ≥ 2 players) that this characteristic is sufficient to calculate expected utilities, best responses and, hence, is sufficient for establishing equilibrium.
3) Utility and best responses in mediated game with n ≥ 2 players: We briefly outline major points in relation to our analysis of the coordination game with n ≥ 2 players while more detailed description can be found in the full version of the paper [17].
Defining expressions for expected utility and best responses requires specifying conditional entropy H L | l . At this stage, we do not have any preferences as for distribution Pr(i) 1≤i≤n . We therefore assume that ∀i Pr(i) = 1 n . We then define user utilities based on the following Lemma: Lemma 2. Expected utility for player i is (for the proof see [17]) from which, best response of player i is: Expected unlinkability E [C], C = H L | l of the whole system is For instance, from the diagram on fig. 4 . 3).

4) Consistency in mediated game:
Consistency of the information provided by M in the context of other information available to the players is one of the necessary conditions for its truthfulness. As such, coordination mechanism facilitating unlinkability in authentication systems must be consistent.
For instance, let us demonstrate the requirement for consistency in the case when Alice type is {α 1 , β 1 } and she knows ℵ, ϕ, (see fig. 4). We admit that where ι,ρ is a short notation for the distribution of Bob's decisions when his type is T 2 = {α ι , β ρ }. In a similar way which is impossible because 0 ≤ s 2 ≤ 1. With the aim to design coordination mechanism where M is consistent we assign to E ϕ [ϑ S ] values from corresponding complete information Nash equilibria [18]. It, nevertheless, should be noted that consistency is necessary but not sufficient for truthfulness implying that players must trust M (see 'trust II' on fig. 3).
For that reason we further dub mediated game 'Naïve game'. The issue of trust can be addressed in the next paragraph.

5) Maximin game:
Here we consider a trustless environment where players' decisions in the game are not based on external information except Pr(A), Pr(B), and ℵ. Players produce their best responses in accordance to Walds' maximin principle where they optimize utilities for the worst case scenario [15]. For example, let us ponder over best expected utility of Alice for the worst case scenario w: (10) In the full version of this paper [17] we show that the solution for ι,ρ is a degenerate distribution where the only possible outcome for Bob with type Using eqs. (5) and (6) she would then obtain which is substituted into eq. (2) to obtain that maximizes her expected utility from eq. (10). This result means that over the period of time observable in Figure 4 she would use α (1) in four authentication sessions while β (1) would be used only twice. Due to its trustless property we will further call maximin game 'tenable game'.

IV. EXPERIMENT
To evaluate the impact of DMMA on privacy in ABA we asses our game-theoretical results by conducting numerical evaluations for the system with n 2 users a) The goal of experiment.: We address RQ by comparing: (i) unlinkability in ABA as per naïve game (e.g. game with mediator) with the unlinkability in ABA as per tenable game (e.g. maximin); (ii) unlinkability in ABA where users are guided by rational principles such as best responses in the games with the unlinkability in ABA where users make 'alternative' decisions. To find solutions for nonlinear systems we run our experiment in Matlab using the trust region algorithm [19]. It is remarkable that (according to eqs. (1) to (3)) Pr(i), ℵ, E ϕ Pr S α (i) , E ϕ Pr S β (i) are the only information which is required to make a decision as for attribute usage in ABA while , ϕ are not required. Based on eq. (1) we derive best response expressions that are identical among players i whose types T i = α (i) , β (i) match. As such, we further use θ ι,ρ = s i for all i whose T i realization is (α ι , β ρ ). We then define the systems of equations for equilibria in naïve as well as tenable game settings.

A. Experiment organization
For baseline scenarios, we consider 'unrestricted rationality' where 2 attribute realizations {α (i) , β (i) } available to player i can be used interchangeably in naïve and tenable games (see sections III-D2 and III-D5). We also analyze some of alternative scenarios with different kinds of 'irrationality'. While the discussion of many possible alternative decisions goes beyond the scope of our paper we identify: (a) 'restricted rationality' where users play naïve or tenable game but (in contrast to interchangeable usage) select and always use the same realization out of 2 realizations available to them; (b) 'random move' scenario where users use both of their realizations interchangeably but in random manner, ∀i, (s i ) = 1, s i ∈ [0, 1]. We use compact notation for the unlinkability which is obtained in different scenarios. Expected unlinkability (as defined in (3)) in rational scenarios is denoted by E[C κ,μ ] where κ ∈ {N, T } denotes either naïve (letter 'N ') or tenable (letter 'T ') game, respectively. μ ∈ {1, 2} indicates the number of attribute realizations used by each player: μ = 1 specifies games with restricted rationality; μ = 2 specifies games with unrestricted rationality. Notation E C {κ,μ} r is for expected unlinkability measured under random moves scenario (index 'r').
In order to produce outputs in the form of expected unlinkability, our experiment requires the following inputs: 1) {κ, μ} or {κ, μ} r ; and 2) Pr(i), for all players i and the pmf ℵ. For all the instances of experiment, we consider n users and Pr(i) = 1 n for all i. We aim at conducting numerical evaluations for a wide range of various joint pmfs ℵ. For the purpose of convenient presentation and comparison of the outputs from the experiment we depict corresponding unlinkability using two-dimensional heat maps (see Figures  5-7). Coordinates Pr(α 1 ), Pr(β 1 ) of each point on the map define a corresponding 2 × 2 matrix ℵ: ℵ = Pr(α 1 ), 1 − Pr(α 1 ) T × Pr(β 1 ), 1 − Pr(β 1 ) where both Pr(α 1 ), Pr(β 1 ) were quantized with 0.05 step on interval [0, 1]. Color intensity corresponds to unlinkability..

B. Results
We first calculated equilibria for our baseline scenarios of naïve and tenable games where players can use both of their attribute realizations interchangeably (see fig. 5). For each possible ℵ in naïve game we solved complete information Nash equilibria to find E ϕ [ϑ S ] that need to be communicated to the players by mediator. Among all the possible solutions we selected those maximizing E[C N,2 ]. For each possible ℵ in tenable game we calculated worst case condition that may be created for player i by others n − 1 players. Then, best response of i, and E[C T,2 ] are calculated (see eq. (2)). As can be observed from comparison of fig. 5a and fig. 5b naïve game provides substantially better unlinkability.  To compute equilibria for naïve games with single attribute usage (e.g. restricted rationality) we solved a linear system representing mixed and pure discrete equilibria (see full version of the paper [17]). The benefits of using 2 attributes (unconstrained rationality) versus 1 attribute (constrained rationality) can be observed by comparing residual unlinkabilities on fig. 6 which are greater than 0 for the both heatmaps.
We conducted a range of experiments with randomized moves which results are presented on fig. 7. For the 2-attribute randomized game, each player i decides 0 ≤ s i ≤ 1 at random in accordance to uniform distribution on [0, 1]. As can be seen from the residuals of expected unlinkabilities, even constrained rationality (1 attribute usage) scenario outperforms scenario where 2 realizations are used randomly (chaotically).

V. DISCUSSION
The cross-comparison of results from section IV demonstrates how proposed DMMA impacts the rate of user unlink-  ability in ABA systems. In this section we further contribute to RQ by discussing the details of (i) usage of attribute realizations in addition to (ii) distribution of attribute realizations among the users.
As per DMMA, there is a clear contrast between unlinkability in ABA systems where users are guided by different principles of realization usage. In section IV we differentiate between rational and alternative principles of usage (see figs. 6 and 7). From the results it is clear that rational principles of interchangeable usage where users coordinate have substantial benefit over other alternative scenarios. This is because non-cooperative game-theoretical approaches optimize impact on unlinkability (through best responses) produced by every individual user i taking into account best responses of other users. In spite of this we emphasize that game-theoretical approaches do differ and, hence, their impacts on unlinkability in ABA systems are not equal. This difference is due to various amount of context information that is available to users in naïve and tenable games. In addition, this context information  for coordination can be supplied to the players in various ways [20]. We contemplate that expectation E ϕ [ϑ S ] calculated using priors ϕ over the vector ϑ S of marginal probabilities for attribute realizations observable by RP (in 'naïve' variant of the game) can become a viable option in support of better decisions. First, this information is sufficient for each player to produce best response (see eq. (2)). Second, this may be shared with the players in differentially private form [18], [21]. However, if this information is not available, player i may resort to best response under the worst case scenario (e.g. 'tenable' game) which comes at the cost of lower unlinkability compared to naïve scenario (see fig. 5) [15]. We, nevertheless, do not provide recommendation as to which among the naïve and tenable game scenario to chose for ABA systems (see 'decision I' on fig. 3). This is because these different decision making concepts require various levels of trust (see 'trust II' on fig. 3): naïve game is reliant on mediator M, while tenable game can be executed in a trustless environment.
In addition, we also gain insights into how the distribution of attribute realizations used by the users impacts their unlinkability. Properties of joint distribution ℵ substantially affect expected unlinkability in ABA systems. For example, it can be seen that for naïve and tenable games expected unlinkabilities are lower towards the center of corresponding heatmaps on figs. 5a and 5b. This is because that area represents more diverse distributions which further constrains coordination effect. In contrast, outer areas of these maps represent the cases when majority of the players have the same type.
VI. RELATED WORK 1) Privacy and Unlinkability: Unlinkability refers to the ability for a user to perform actions and undertake tasks without others being able to link these actions together [22]. In the context of authentication, multiple studies have identified how unlinkability significantly impacts user privacy, as it is one of the primary conditions of remaining anonymous within a digital environment [11], [14]. Below, we synthesis the main applications of unlikability in the context of privacy and authentication based on studies to date.
Firstly, studies have applied unlinkability tests to determine whether an attacker is able to guess the label of the entity or the relation between them (i.e. 'link'), and contrasted these 'guesses' with an attacker acting at random [23]- [25]. One such test is ISO/IEC DIS 27551 "Requirements for attributebased unlinkable entity authentication" as per listing 1, which recognizes and explicitly defines the threat of linkability and profiling pertaining to authentication for the system consisting of AP, users U 0 , U 1 , and RP.
Secondly, studies have also quantified the linkability of items in a system by applying information-theoretical descriptions [26], [27]. For example, a basic information-theoretic notion for unlinkability is presented by [28] where they utilize Shannon entropy to measure unlinkability of elements within one set as well as between the sets. Further improvements to this notion were then added by [29] where they provided specific context information across 7 special cases. It must be stressed that the hints that the attacker gathers to create relational links about the user cannot be generalized and must be determined based on a case-by-case basis. This is exemplified in studies such as [30]. The authors propose an extensive taxonomy of privacy metrics which, for instance, describes 17 different entropy-based measures. Summary: one of the main limitations of the analyzed sources is the lack of attention to the problem of interchangeable usage of assertions. Some of the information-theoretic measures such as in [30] are universal. However, possible application of these measures to the problem of interchangeable usage is not suggested by the authors. Existing definitions are therefore insufficient to optimize unlinkability in the environment where multiple assertions are used.
2) Game Theory Applications to Privacy: A number of papers apply game theory to address privacy issues either based on problems derived from practice [23], [31], [32], or focusing on the theoretical aspects of game theory [18], [33].
From a practical approach, there are several studies that explored the challenges pertaining to pseudonym change in mobile networks [23], [32]. In [32], the authors elaborate on user-centric location privacy model which takes into account the beliefs of users about the tracking power of the adversary, the degree of anonymity that users obtain in the mix zones as well as the cost and time of pseudonym change. Results from their study define an equilibrium where the strategies played by the users can be decided when their utilities are compared with a threshold value. In [23] authors analyze a game where local adversary is equipped with multiple eavesdropping stations to track mobile users who deploy mix zones in order to protect their location privacy. The authors predict the strategies of both players and derive the strategies at equilibrium in complete and incomplete information scenarios which is quantified based on real road-traffic information. From a theoretical perspective, a number of different studies have examined the coordination scenarios which impact privacy in general [18], [33]. For instance, authors of [18] discuss a game with mediating mechanism that can improve the outcome of the game when compared to Bayes Nash Equilibrium (BNE). It also demonstrates that any algorithm that computes a correlated equilibrium of a complete information game while satisfying a variant of differential privacy can be used as a recommended mechanism satisfying desired incentive properties. Summary: an obvious limitation of the existing gametheoretical solutions is the absence of models that adequately cover interchangeable usage of assertions. Properties of information-theoretical measures command that games with continuous strategies (and not mixed strategies!) must be analyzed in the presence of multiple alternatives for the players. This component is missing from game-theoretical applications for privacy. Also, majority of the sources gravitate toward the games where information sets can be provided to the users. As such they ignore cases of severe uncertainty. There are several limitations for this sole line of thoughts. First, a mechanism that provides information to the players (similar to mediator in 'naïve game') must be designed. Second, players must place trust on that mechanism.

VII. CONCLUSION
In this paper, we demonstrated that unlinkability in ABA can be improved. This requires that necessary attention is given to the aspects of interchangeable usage of assertions possessed by a user. That line of thoughts comprises a new research direction. It contrasts with the traditional approach to the problem of unlinkability that is practiced within the research community -to make assertions indistinguishable. Due to this, the question 'How to best use these assertions if indistinguishability fails with non-zero probability?' has been largely ignored. With the aim to contribute to this new topic we proposed a framework and DMMA in section III: it is based on rational decision-making approaches.
Using conditional entropy, we measured the strongest notion of unlinkability specified by ISO 27551 for attribute based authentication. We believe that this is the most optimal benchmark because it allows to encompass various levels of context information that may be available to adversary as well as players in real world settings. Players' utilities and their best responses are then derived for two (naïve and tenable) different instances of non-cooperative coordination game with incomplete information.
The equilibria calculated in the experimental part of our paper clearly indicates that the rational approach to the problem outperforms the alternative approaches. For instance, the habitual usage of the same assertion or random usage of many available assertions. As such, we conclude by recommending that the proposed DMMA be adopted by those working on Digital Credential Wallets (DCW). This can improve unlinkability in ABA in a way that is easy and convenient for a user and does not require modifications of existing authentication protocols.
APPENDIX A PROOF OF LEMMA 1 Lemma 1. Best linking performance is limited by H L | l (for proof see section A).
Proof. In order to link authentication sessions RP labels them with L ∈ L , where L = A , B . We divide the proof in 2 parts: (i) we demonstrate that for the best linking performance RP aims to minimize H(L | L ); (ii) and, H(L | L ) ≥ H(L | l).
(i) We express linking performance P of RP as the difference between True Positive Rate (TPR) and False Positive Rate