[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] meeting tomorrow 2pm





On Sun, 30 Apr 2000, Roger R Dingledine wrote:

> i'm pondering the concept of full anonymity ("ideal" anonymity) vs partial
> anonymity. eg, i might claim i've got better than no anonymity if you know
> i'm in california but have no idea where past that.

There's a suggestion of this kind of idea in Paul Syverson's paper on 
"Group Principals and the Formalization of Anonymity."
He outlines a model in which the adversary starts off believing that
the sender of a message is one of a very big set of possible senders.

Then the adversary does stuff. 

After doing stuff, the adversary can refine the set of possible senders to
exclude candidates, and so "home in" on what may be the real sender. 
This is all formalized by a logic which allows one to say, for a
particular protocol, how close the adversary can come to the real sender
if it does actions X, Y, and Z.

At least, this is the *claim*. The paper only gives an example of a
partial analysis for a single-hop web proxy a la Anonymiser. Plus I'm not
comfortable with logic-based approaches and formal methods; I think mostly
because I'm not yet comfortable with logics past first-order predicate...

The paper appeared in the "World Congress on Formal Methods 1999" (full
cite on Syverson's web page), but I have a copy which I'll place on my web
page and then post the link here.
 
Even if the logic/formal method framework is overkill at this point, 
the concept of an adversary "discovering" information seems related. 

> i've been on a theory kick the last week.
> i suspect i'm going to remain on said theory kick until my thesis is
> written. i apologize to those of you who are solely course 6. :)


-David
(uses a Mark I for class)