Update draft-irtf-cfrg-bbs-signatures.md

Co-authored-by: Andrew Whitehead <[email protected]>

draft-irtf-cfrg-bbs-signatures.md

@@ -330,7 +330,7 @@ Similarly, the Prover can choose a `presentation_header` value to be bound to th
 
 ### Unlinkability
 
-As mentioned in the Introduction, a BBS proof is unlinkable. In this section we will define the term in more detail. Formally, we use unlinkability to refer to the fact that a BBS proof is zero-knowledge (TODO: ADD REFERENCE). In practice, this guarantees that an adversary (a Verifier, the Issuer or coalitions between one or more Verifiers and the Issuer) will not be able to infer any information from the BBS proof value, other than what the Prover decided to provide, even with access to multiple proof values. Consequently, the Verifier will not be able to corelate multiple proofs generated by the same signature or Prover. Note however, that this holds only for the value of the BBS proof. In other words, other values revealed by the Prover during their interaction with a Verifier, may still be used to corelate their activity and compromise their privacy. Examples of such values include, the disclosed messages (if the same message of high enough entropy is revealed between multiple proofs), the `header` and `presentation_header` values (see Section (#header-and-presentation-header-usage)) or the total number of signed messages. See Section (#privacy-considerations) for privacy considerations and recommendations on minimizing these sources of correlation.
+As mentioned in the Introduction, a BBS proof is unlinkable. In this section we will define the term in more detail. Formally, we use unlinkability to refer to the fact that a BBS proof is zero-knowledge (TODO: ADD REFERENCE). In practice, this guarantees that an adversary (a Verifier, the Issuer or coalitions between one or more Verifiers and the Issuer) will not be able to infer any information from the BBS proof value, other than what the Prover decided to provide, even with access to multiple proof values. Consequently, the Verifier will not be able to correlate multiple proofs generated by the same signature or Prover. Note however, that this holds only for the value of the BBS proof. In other words, other values revealed by the Prover during their interaction with a Verifier, may still be used to correlate their activity and compromise their privacy. Examples of such values include the disclosed messages (if the same message of high enough entropy is revealed between multiple proofs), the `header` and `presentation_header` values (see Section (#header-and-presentation-header-usage)), or the total number of signed messages. See Section (#privacy-considerations) for privacy considerations and recommendations on minimizing these sources of correlation.
 
 ## Key Generation Operations