[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] paper outline

To: freehaven-dev@seul.org
Subject: [freehaven-dev] paper outline
From: dmolnar@belegost.mit.edu
Date: Mon, 8 May 2000 11:54:49 -0400 (EDT)
Delivery-Date: Mon, 08 May 2000 11:54:54 -0400
Reply-To: freehaven-dev@seul.org
Sender: owner-freehaven-dev@seul.org



This is a draft off the top of my head. Comments appreciated as always.
It's sketchy towards the end. 

"Freee Haven : Towards the Specification, Design, and Modelling of a 
Robust Anonymous Storage System"

1. Introduction

1.1 Short summary of project ("We present the Free Haven project...") 
1.2 Motivation for Anonymity 
1.3 Short Description Of Why This Is Really Hard
1.4 Organization of the Paper

2 Definitions

2.1 "Storage System" 

2.1.1 Intuitive idea -- examples of storage systems
2.1.1.1 Hard Drive
2.1.1.2 RAID
2.1.1.3 Broadcast Disks 

2.1.2 Definition of Storage System
2.1.2.1 "Add" 
2.1.2.2 "Retreive" 

2.1.3 Requirements for Storage Systems
2.1.3.1 Robustness
2.1.3.2 Integrity
2.1.3.3 Efficiency 
2.1.3.4 Access Control 

2.1.4 Distinction between "Storage" and "Publication" 
2.1.4.1 Publication implies high availability
2.1.4.2 Publication implies high update capability (fresh data)

2.2 "Anonymous or Pseudonymous communication channel" 

2.2.1 Intuitive idea and motivation
2.2.1.1 Voting protocols
2.2.1.2 Spycraft

2.2.1.3 Distinction between Anonymity and Pseudonymity
	(hereafter conflated as "Nymity" for discussion until
	we reach the point where one is easier than the other)

2.2.2 Examples of *nymous Channels 
2.2.2.1 Chaum MIXes
2.2.2.2 Dining-Cryptographer Nets
2.2.2.3 Onion Routing / ZKS
2.2.2.4 Public Bulletin Boards


2.2.3 Requirements For *nymous Communication Channel
2.2.3.1 Reliability
2.2.3.2 Low Latency
2.2.3.3 Integrity
2.2.3.4 Anonymity (but what's that?)

2.2.4 Pinning Down / Defining Nymity 
2.2.4.1 Intuitive notion - "Can't link message to sender." 
2.2.4.2 Parties Involved
???  as we found out, this part may be a little tricky. 
2.2.4.3 Adversaries 
2.2.4.3.1 Computationally Bounded vs. Computationally Unbounded
2.2.4.3.2 "Active" vs. "Passive" adversaries

2.2.4.4 Pseudonymity vs. Anonymity
2.2.4.4.1 Pseudonymity at least as hard as Anonymity, maybe harder

2.2.5 General Attacks and Possible Countermeasures

2.2.5.1 Traffic Analysis
2.2.5.1.1 Message Pools, Reordering
2.2.5.1.2 Heartbeats
2.2.5.1.3 "Latency vs. Nymity"  

2.2.5.2 Usage Patterns ("intersection attack")
2.2.5.3 Stupid User Tricks (e.g. "ask browser for user's name. gee.")
2.2.5.4 Which Attacks Can and Probably Can't Be Prevented

2.2.6 Extant Formal Definitions of Anonymity For Communication Channels
2.2.6.1 Chaum's Definition and Proofs
2.2.6.2 "Probabilistic Anonymity" from SG-MIXes
2.2.6.3 Quantified Anonymity - Crowds (and Roger)
	-i.e. "You are 50-anonymous"
2.2.6.4 Reasoning About Quantified Anonymity - Syverson

2.2.6 Where Definitions Need More Work (if anywhere) 

2.2.7 Cool Ideas Which No One Has Really Analyzed Yet
2.2.7.1 Garlic Routing -- address "robustness" 
2.2.7.2 Constantly Changing Addresses (suggested by us, also seems by this
	Dogan Kesdogan guy)
2.2.7.3 "Alien Conspiracy" routing 
2.2.7.4 "Variable Implicit Addresses" (Dogan Kesdogan again)
whatever else...

2.3 "Anonymous Protocol" 

2.3.1 Distinction between an anonymous channel and anonymous protocol
	(similar to the distinction between a "secure channel" and 
	a "secure protocol" for multiparty computation)

2.3.2 The "Ideal Model" (suggested by Anna. Thanks, Anna!)
2.3.2.1 Motivation : Secure Multi-Party Computation
2.3.2.1.1 Problem and Definitions of Secure Multiparty Computation
	(just a sketch. no need to add 300 pages for this section)
2.3.2.2 Towards A Definition of Ideal Anonymous Protocol
2.3.2.2.1 "Let's Play A Game : Who Wants To Be An Adversary?"
	we don't have nice formal defintions here. but we can 
	sketch more or less what they might look like and cite it
	as an open problem. with the major caveat that bad definitions
	will allow you to prove true things which are useless.
	(maybe make a straw man bad definition and show how it fails
	miserably?)

3 Specification of the Free Haven System 

<see Roger's Thesis> 

3.1 Goals of Free Haven (in terms of previous definitions)

3.2 Outline of Free Haven
3.2.1 Servnet
3.2.2 Nodes and Their Properties

3.3 The Communications Module 

<all class responsibility diagrams and whatever go here> 
<yes, I know, we don't have classes>

4. Modelling the Free Haven System 

<see model.tex> 

5. Attacks on Free Haven

6. Evaluation of Free Haven 

6.1 Free Haven as Storage System
6.2 Free Haven as Anonymous Protocol

<Roger's chart goes in here>

7. Comparison to Related and Alternate Work

7.1 Freenet
... and everything else .

8. Future Directions and Open Problems

Prev by Date: [freehaven-dev] extended abstracts sent off
Next by Date: [freehaven-dev] Jurisdiction - article
Prev by thread: [freehaven-dev] extended abstracts sent off
Next by thread: [freehaven-dev] Jurisdiction - article
Index(es):
- Date
- Thread