Analysis on Rolling Re-Pseudonymization without Accessing Plaintext Data for Distributed Secure Information Discovery

In this paper, we explore a novel approach to rolling re-pseudonymization of encoded data records within the context of distributed secure information discovery. Our practical application context is a decentralized Hit/No-Hit system using modified Bloom filter pseudonymization, that we call "ADEP Technology", which is currently used in the context of information discovery for Member States of the European Union. Frequent rolling re-pseudonymization, i.e. changing pseudonymization parameters and secrets, increases operational security by mitigating the risk associated to frequency attacks. We analyze trade-offs between privacy, linkage quality, and performance of two re-pseudonymization strategies: traditional repseudonymization from plaintext and a novel approach that does not require access to plaintext data. It requires the utilized modified Bloom filters to exhibit sufficiently low False Positive rates, which can be achieved with minor adjustments to the pseudonymization procedure and suitable choice of pseudonymization parameters.