[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] Assorted small changes, typos, etc. for preproceedin...
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.mit.edu:/tmp/cvs-serv7696/fc03
Modified Files:
econymics.bib econymics.ps econymics.tex
Log Message:
Assorted small changes, typos, etc. for preproceedings.
Index: econymics.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.bib,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- econymics.bib 17 Sep 2002 02:37:55 -0000 1.11
+++ econymics.bib 13 Dec 2002 22:00:54 -0000 1.12
@@ -11,25 +11,17 @@
howpublished = {\url{http://www.anonymizer.com/}}
}
+
@InProceedings{back01,
- author = {Adam Back and Ulf M\"{o}ller and Anton Stiglic},
- title = {Traffic Analysis Attacks and Trade-Offs in Anonymity
- Providing Systems},
- booktitle = {Information Hiding, (IH 2001), {LNCS} Vol.\ 2137},
- pages = {245--257},
- year = 2001,
- publisher = {Springer-Verlag}
+ author = {Adam Back and Ulf M\"oller and Anton Stiglic},
+ title = {Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems},
+ booktitle = {Information Hiding, 4th International Workshop (IH 2001)},
+ pages = {245--257},
+ year = 2001,
+ editor = {Ira S. Moskowitz},
+ publisher = {Springer-Verlag, LNCS 2137}
}
-@InProceedings{Diaz02,
- author = {Claudia Diaz and Stefaan Seys and Joris Claessens
- and Bart Preneel},
- title = {Towards measuring anonymity},
- booktitle = {Privacy Enhancing Technologies (PET 2002)},
- year = 2002,
- editor = {Paul Syverson and Roger Dingledine},
- publisher = {Springer Verlag, LNCS (forthcoming)}
-}
@Book{diffiebook,
author = {Whitfield Diffie and Susan Landau},
@@ -39,6 +31,16 @@
year = 1998
}
+@InProceedings{Diaz02,
+ author = {Claudia D\'iaz and Stefaan Seys and Joris Claessens
+ and Bart Preneel},
+ title = {Towards measuring anonymity},
+ booktitle = {Privacy Enhancing Technologies (PET 2002)},
+ year = 2002,
+ editor = {Roger Dingledine and Paul Syverson},
+ publisher = {Springer Verlag, LNCS 2482}
+}
+
@Book{fudenberg-tirole-91,
author = {Drew Fudenberg and Jean Tirole},
title = {Game Theory},
@@ -51,11 +53,12 @@
Hopwood and David Molnar},
title = {{A Reputation System to Increase MIX-net
Reliability}},
- booktitle = {Information Hiding, 4th International Workshop (IH 2001)},
- pages = {126--141},
- year = 2001,
- editor = {Ira Moskowitz},
- publisher = {Springer-Verlag, LNCS 2137},
+ booktitle = {Information Hiding, 4th International Workshop (IH 2001)},
+ pages = {126--141},
+ year = 2001,
+ editor = {Ira Moskowitz},
+ publisher = {Springer-Verlag, LNCS 2137}
+ note = {\url{http://www.freehaven.net/papers.html}},
}
@InProceedings{casc-rep,
@@ -93,8 +96,8 @@
title = {Towards an Information Theoretic Metric for Anonymity},
booktitle = {Privacy Enhancing Technologies (PET 2002)},
year = 2002,
- editor = {Paul Syverson and Roger Dingledine},
- publisher = {Springer Verlag, LNCS (forthcoming)}
+ editor = {Roger Dingledine and Paul Syverson},
+ publisher = {Springer Verlag, LNCS 2482}
}
@Article{grossman-stiglitz-80,
Index: econymics.ps
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.ps,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- econymics.ps 17 Sep 2002 03:43:17 -0000 1.4
+++ econymics.ps 13 Dec 2002 22:00:54 -0000 1.5
@@ -1,3336 +1,5320 @@
%!PS-Adobe-2.0
-%%Creator: dvipsk 5.86 p1.5d Copyright 1996-2001 ASCII Corp.(www-ptex@ascii.co.jp)
-%%based on dvipsk 5.86 Copyright 1999 Radical Eye Software (www.radicaleye.com)
+%%Creator: dvipsk 5.58f Copyright 1986, 1994 Radical Eye Software
%%Title: econymics.dvi
-%%Pages: 16
+%%Pages: 18
%%PageOrder: Ascend
%%BoundingBox: 0 0 612 792
+%%DocumentPaperSizes: Letter
%%EndComments
[...8593 lines suppressed...]
+3645 y(20.)43 b(Ariel)22 b(Rubinstein.)k(P)n(erfect)d(equilibrium)d(in)
+h(a)h(bargaining)h(mo)r(del.)k Fa(Ec)l(onometric)l(a)p
+Fp(,)d(50:97{)663 3736 y(110,)j(1982.)523 3827 y(21.)43
+b(Andrei)19 b(Serjan)n(to)n(v)h(and)g(George)i(Danezis.)k(T)-6
+b(o)n(w)n(ards)21 b(an)f(information)h(theoretic)f(metric)g(for)663
+3919 y(anon)n(ymit)n(y)-6 b(.)47 b(In)30 b(P)n(aul)h(Syv)n(erson)f(and)
+h(Roger)g(Dingledine,)g(editors,)h Fa(Privacy)h(Enhancing)663
+4010 y(T)-6 b(e)l(chnolo)l(gies)29 b(\(PET)e(2002\))p
+Fp(.)h(Springer)d(V)-6 b(erlag,)27 b(LNCS)e(\(forthcoming\),)h(2002.)
+523 4101 y(22.)43 b(Andrei)22 b(Serjan)n(to)n(v,)i(Roger)g(Dingledine,)
+g(and)f(P)n(aul)h(Syv)n(erson.)30 b(F)-6 b(rom)22 b(a)i(tric)n(kle)g
+(to)f(a)h(\015o)r(o)r(d:)663 4193 y(Activ)n(e)d(attac)n(ks)h(on)g(sev)n
+(eral)g(mix)e(t)n(yp)r(es.)28 b(In)21 b(F)-6 b(abien)22
+b(P)n(etitcolas,)h(editor,)g Fa(Information)h(Hid-)663
+4284 y(ing,)f(5th)i(International)g(Workshop)g(\(IH)f(2002\))p
+Fp(.)f(Springer-V)-6 b(erlag,)22 b(LNCS)g(\(forthcoming\),)663
+4375 y(2002.)1922 5173 y Fs(18)p eop
%%Trailer
end
userdict /end-hook known{end-hook}if
Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -d -r1.41 -r1.42
--- econymics.tex 2 Oct 2002 22:10:31 -0000 1.41
+++ econymics.tex 13 Dec 2002 22:00:54 -0000 1.42
@@ -6,7 +6,7 @@
\usepackage{amsmath}
%\textwidth16cm
-\textwidth13.6cm
+%\textwidth13.6cm
%\textheight21cm
%\topmargin0mm
%\oddsidemargin2.5mm
@@ -108,12 +108,13 @@
Individuals and organizations need anonymity on the Internet. People
want to surf the Web, purchase online, and send email without exposing
-their identities, interests, and activities to others. Corporate
-and military organizations must communicate with other organizations
-without revealing the existence of such communications to competitors and
-enemies. Firewalls, VPNs, and encryption cannot provide this protection
---- indeed, Diffie has remarked that traffic analysis is the backbone
-of communications intelligence, not cryptanalysis \cite{diffiebook}.
+their identities, interests, and activities to others. Corporate and
+military organizations must communicate with other organizations
+without revealing the existence of such communications to competitors
+and enemies. Firewalls, VPNs, and encryption cannot provide this
+protection --- indeed, Diffie and Landau have remarked that traffic
+analysis is the backbone of communications intelligence, not
+cryptanalysis \cite{diffiebook}.
With so many potential users, it might seem that there is a ready market
for anonymity services --- that is, it should be possible to offer such
@@ -157,7 +158,7 @@
%traffic to a single entity either.
The only viable solution is to distribute trust. Each party can choose
to run a node
-in a shared \emph{strong anonymity} infrastructure, if its incentives
+in a shared strong anonymity infrastructure, if its incentives
are large enough to support the associated costs. Users with more modest
budgets or shorter-term interest in the system also benefit from this
decentralized model, because they can be confident that a few colluding
@@ -194,7 +195,7 @@
anonymity-breaking attacks \cite{back01,raymond00}. Additionally,
adversaries can also attack the efficiency or reliability of nodes, or
try to increase the cost of running nodes. All of these factors combine
-to threaten the \emph{anonymity} of the system. As Back et al point
+to threaten the \emph{anonymity} of the system. As Back et al.\ point
out, ``in anonymity systems usability, efficiency, reliability and cost
become \emph{security} objectives because they affect the size of the
user base which in turn affects the degree of anonymity it is possible
@@ -207,8 +208,13 @@
\label{sec:model}
-In this section and those that follow, we formalize the economic analysis
-of why people might choose to send messages through mix-nets. Here we
+In this section and those that follow, we formalize the economic
+analysis of why people might choose to send messages through
+mix-nets\footnote{Mixes were introduced by David Chaum. A mix takes in
+ messages, changes their appearance and sends them out in an order
+ different from that in which they came in, thus obscuring the
+ relation of incoming to outgoing messages.}.
+Here we
discuss the incentives for the agents to participate either as senders
or also as nodes, and we propose a general framework for their
analysis. In the next section we consider various applications of our
@@ -248,7 +254,7 @@
\begin{enumerate}
\item Benefits from sending messages anonymously. We model them as a function
-of the subjective evaluation the agent places on the information
+of the subjective value the agent places on the information
successfully arriving at its destination, $v_{r}$; the subjective value of
keeping her identity anonymous, $v_{a}$; the perceived level of
anonymity in the system, $p_{a}$ (the probability that the sender and message
@@ -284,11 +290,11 @@
\item The relation between the number of nodes and the probability
of remaining anonymous might not be monotonic. At parity of traffic,
-sensitive agents might want fewer nodes in order to maintain high anonymity
+sensitive agents might want fewer nodes in order to maintain large anonymity
sets. But if some nodes are dishonest, users may prefer
more honest nodes (to increase the chance that messages go through honest
nodes). Agents that act as nodes may prefer fewer nodes,
-to maintain high anonymity sets at their particular node.
+to maintain larger anonymity sets at their particular node.
Hence the probability of remaining anonymous is inversely related to the
number of nodes but positively related to the ratio of honest/dishonest
nodes.
@@ -344,7 +350,7 @@
thought to act as a dishonest node.
Some of these reputation costs and benefits can be modeled endogenously (for
-example, being perceived as a honest node brings that node more traffic, and
+example, being perceived as an honest node brings that node more traffic, and
therefore more possibilities to hide that node's messages; similarly, being
perceived as a dishonest node might bring traffic away from that node).
They would enter the utility functions only indirectly through the
@@ -362,8 +368,9 @@
\begin{array}{c}
\theta \left[ \gamma \left( v_{r},p_{r}\left( n_{h},n_{d}\right) \right)
,\partial \left( v_{a},p_{a}\left( n_{s},n_{h},n_{d},a_{i}^{s}\right)
-\right) ,a_{i}^{s}\right] + \\
-b_{h}a_{i}^{h}+b_{d}a_{i}^{d}-c_{s}\left( n_{s},n_{h}\right)
+\right) ,a_{i}^{s}\right] \, + \,
+b_{h}a_{i}^{h}+\\
+b_{d}a_{i}^{d} - c_{s}\left( n_{s},n_{h}\right)
a_{i}^{s}-c_{h}\left( n_{s},n_{h},n_{d}\right) a_{i}^{h}-c_{d}\left(
..\right) a_{i}^{d}-c_{r}\left( ..\right) a_{i}^{r}-c_{n}
\end{array}
@@ -697,7 +704,7 @@
In fact, this model might have equilibria with free-riding even when
the other agent's type is unknown. Let's imagine that both agents know
-that the evaluations $v_{i}$ are drawn independently from a continuous,
+that the valuations $v_{i},v_{j}$ are drawn independently from a continuous,
monotonic probability distribution. Again, when one agent cares about
her privacy enough, and/or believes that there is a high probability
that the opponent would act as a dishonest node, then the agent will
@@ -736,7 +743,7 @@
perspective is that the highly sensitive agents actually
\emph{want} some level of free-riding, to provide noise. On the other
side, they do not want too much free-riding --- for example from highly
-sensitive type pretending to be agents with low sensitivity --- if it
+sensitive types pretending to be agents with low sensitivity --- if it
involves high traffic costs.
So, under which conditions will a system with many players not implode?
@@ -762,7 +769,7 @@
In fact, when the valuations are continously distributed this
\emph{might} generate equilibria where the agents with the highest
-evaluations $v_{i}$ become nodes, and the others, starting with the
+valuations $v_{i}$ become nodes, and the others, starting with the
``marginal'' type (the agent indifferent between the
benefits she would get from acting as node and the added costs of doing
so) provide traffic.\footnote{Writing down specific equilibria, again,
@@ -779,7 +786,7 @@
us.}
The problems start if we consider now a different situation. Rather than
-having a continuous distribution of evaluations $v_{i}$, we consider two
+having a continuous distribution of valuations $v_{i}$, we consider two
types of agents: the agent with a high valuation, $v_{H}$, and the agent
with a low valuations, $v_{L}$. We assume that the $v_{L}$ agents will simply participate
sending traffic if the system is cheap enough for them to use (but see
@@ -831,11 +838,15 @@
%mechanisms where all the agents truthfully reveal their types.}).
The Anonymizer offers basic service at low costs to low-sensitivity agents
(there
-is a cost in the delay and the hassles of using the free service), and
+is a cost in the delay, the limitation on destination addresses,
+ and the hassle of using the free service), and
offers better service for money. With usage fees, the cost of being a node
is externalized. A hybrid solution involves
distributed trusted nodes, supported through entry fees paid to a central
authority and redistributed to the nodes.
+This was the approach of the Freedom Network from Zero-Knowledge Systems.
+The network was shut down because they were unable to sell enough clients
+to cover their costs.
%\item \emph{Bilateral contracts}. Bilateral or multilateral contracts between
%agents can lead them to agree on cooperation, and on penalties for breaching
@@ -871,7 +882,7 @@
$p_a$ is influenced not just by $n_h$ but
also by jurisdictional diversity --- a given high-sensitivity sender is
happier with a diverse set of mostly busy nodes than with a set of very busy
-nodes run in the same zone. Also, after some threshold of users latency
+nodes run in the same zone. Also, after some threshold of users, latency
will begin to suffer, and the low sensitivity users will go elsewhere,
taking away the nice anonymity sets.
@@ -932,7 +943,7 @@
Another potential solution, a global PKI to ensure unique identities, is
unlikely to emerge any time soon.
-\subsection{Dishonest Nodes vs Lazy Nodes}
+\subsection{Dishonest Nodes vs.\ Lazy Nodes}
We have primarily focused on the strategic motivations of honest agents,
but the motivations of dishonest agents are at least as important. An
@@ -976,7 +987,7 @@
of the system. In addition, this tactic, by altering the flow of the traffic
through her own node, might actually reduce the anonymity of that agent.
-Surveys and analysis on actual attacks on actual systems (eg \cite
+Surveys and analysis on actual attacks on actual systems (e.g., \cite
{nymserver98}) can help determine which forms of attacks are frequent, how
dangerous they are, and whether economic incentives or technical answers are
the best way to counter them.
@@ -990,7 +1001,7 @@
players can somehow know each other and coordinate to start with one of the
cooperative equilibria discussed above.
-But this does not sound as a realistic scenario. Hence we must discuss how a
+But this does not sound like a realistic scenario. Hence we must discuss how a
mix-net system with distributed trust can come to be. We face a paradox
here: agents with high privacy sensitivity want lots of traffic in order to
feel secure using the system. They need many participants with lower privacy
@@ -1000,7 +1011,7 @@
system might be higher than the real costs\footnote{%
Many individuals tend to be myopic in their attitude to privacy. They claim
they want it but they are not willing to pay for it. While this might
-reflect a rational assestment of the trade-offs (that is, quite simply, the
+reflect a rational assessment of the trade-offs (that is, quite simply, the
agents do not value their anonymity highly enough to justify the cost to
protect it), it might also reflect ``myopic'' behavior such as the
hyperbolic discounting of future costs associated to the loss of anonymity.
@@ -1016,11 +1027,11 @@
since we must consider both the benefits from sending a message \textit{and }%
keeping it anonymous. If the benefits of sending the message are not that
high in first instance, then the agents with low sensitivity will
-have fewer incentives to spend anything to mantain the message itself
-anonymous. Given that in our model we consider the costs and benefits of
+have fewer incentives to spend anything to mantain anonymity of the message.
+Given that in our model we consider the costs and benefits of
using a certain system, we can of course extend the analysis to the
comparison between different systems with different costs/benefit
-characteristics. We comment more on this in the conclusive Section.
+characteristics. We comment more on this in the conclusion.
%Note in this case that the choice of agents with lower privacy sensitivity
%between different anonymous systems with different levels of anonymity (and
@@ -1072,9 +1083,10 @@
\begin{itemize}
\item Dummy traffic. Dummy traffic increases costs but it also increases
anonymity. In this extension we should study bilateral or multilateral
-contracts between agents, forcing contractually each agent to send to
+contracts between agents, contractually forcing each agent to send to
another agent(s) a certain number of messages in each period. With these
-contracts, if the sending agent has not enough real messages going through
+contracts, if the sending agent does not have enough real messages going
+through
its node, it will have to generate them as dummy traffic in order not to pay
a penalty.
@@ -1139,6 +1151,11 @@
coordination costs which make it unfeasible. A central coordination
authority to redistribute payments may be more practical.
\end{itemize}
+
+\section*{Acknowledgments}
+
+Work on this paper was supported by ONR.\@ Thanks to John Bashinski,
+Nick Mathewson, and the anonymous referees for helpful comments.
\bibliographystyle{plain}
\bibliography{econymics}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/