[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] fix spelling, grammar, clarity, and correctness.
Update of /home/freehaven/cvsroot/doc/alpha-mixing
In directory moria:/home/arma/work/freehaven/doc/alpha-mixing
Modified Files:
alpha-mixing.tex alpha-mixing.bib
Log Message:
fix spelling, grammar, clarity, and correctness.
i believe none of these fixes will be controversial.
Index: alpha-mixing.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/alpha-mixing/alpha-mixing.tex,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -d -r1.38 -r1.39
--- alpha-mixing.tex 2 Jun 2006 21:49:33 -0000 1.38
+++ alpha-mixing.tex 8 Jul 2006 19:27:28 -0000 1.39
@@ -30,8 +30,8 @@
\begin{document}
-\title{Blending different latency traffic\\with alpha-mixing\\
-\normalsize{(Pre-proceedings Draft)}}
+\title{Blending different latency traffic\\with alpha-mixing}
+%\normalsize{(Pre-proceedings Draft)}}
%\title{Alpha-mixing or Getting Personal with the Adversary}
\author{Roger Dingledine\inst{1} \and Andrei Serjantov\inst{2} \and Paul Syverson\inst{3}}
@@ -121,7 +121,8 @@
and analysing the anonymity properties they can provide to users with
different security preferences. Next we look at the strategies users
should follow when picking the security parameter for each mix in the
-message's path. Thirdly, we look at the incentives users have for
+message's path. In Section~\ref{sec:strategic-choice}, we look at the
+incentives users have for
choosing a high security parameter themselves rather than expecting
others to take the latency penalty (and thus provide more anonymity to
everyone). Lastly we consider more sophisticated alpha-mixing
@@ -191,7 +192,7 @@
It is also possible to have a threshold-or-timed alpha mix in which
all messages are decremented in the alpha stack if either $t$ seconds
have passed or $n$ messages have arrived.
-Similarly, one can have a threshold-and-timed mix
+Similarly, one can have a threshold-and-timed alpha mix
to reduce the effective rate of flooding attacks~\cite{trickle02}.
Even more complex variants of these designs are discussed in
Section~\ref{sec:beta-alpha}.
@@ -201,9 +202,9 @@
\label{sec:passive-adversary-anonymity}
Here we describe the anonymity for a threshold alpha mix during
-steady-state (messages arrive with various alphas at a regular rate, and
+steady-state (i.e., messages arrive with various alphas at a regular rate, and
the mix fires at regular intervals). In this case the threshold mix is
-indistinguishable by a local external passive adversary from a timed mix.
+indistinguishable by a local observer from a timed mix.
We assume the adversary does not know the specific alpha of any
message entering the mix, e.g., that this is provided to the mix
@@ -241,7 +242,7 @@
\end{proof}
If the adversary does know the strategy (although still not the actual
-initial $\alpha$) for each message, then the anonymity of $M$ is
+$\alpha$) for each incoming message, then the anonymity of $M$ is
unaffected by the strategy that other messages use for choosing $\alpha$
in a steady-state network. However, if the strategies are not known,
then choosing $\alpha$ from a broader range increases the anonymity
@@ -287,15 +288,15 @@
Consider sender anonymity in the setting of just one mix, illustrated
on two rounds only (equivalently, suppose maximum alpha is 1):
-Round 1: $I_1 = i_{1,1} \ldots i_{n,1}$ entered the mix, messages
+Round 1: $I_1 = i_{1,1} \ldots i_{m,1}$ entered the mix, messages
$o_{1,1} \ldots o_{x,1}$ came out.
-Round 2: $I_2 = i_{1,2} \ldots i_{m,2}$ entered, messages $o_{1,2}
+Round 2: $I_2 = i_{1,2} \ldots i_{n,2}$ entered, messages $o_{1,2}
\ldots o_{y,2}$ came out.
-$\alpha(x)$ is the set of possible alphas of message $x$ as known by
+Let $\alpha(x)$ be the set of possible alphas of message $x$ as known by
the attacker. Note that if the attacker knows nothing, then $\forall x,\
-\alpha(x) = \{0,1\}$
+\alpha(x) = \{0,1\}$.
Our target message is $o_{1,2}$. The sender anonymity set (in
messages) is:
@@ -378,7 +379,7 @@
\label{sec:distributing-alpha}
In the previous section we discussed the fact that an adversary who
-can learn about the senders's alphas can weaken her anonymity. For
+can learn about the sender's alphas can weaken her anonymity. For
example, sending only high
value messages and picking high security parameters for them can actually
decrease anonymity.
@@ -397,7 +398,7 @@
is concerned about security.
One possible solution for picking a sequence of $\alpha^{(i)}$ (where
-the `$(i)$' represents the $i^{th}$ mix in the route) is precisely to
+the ``$(i)$'' represents the $i^{th}$ mix in the route) is simply to
pick from a uniform distribution over the partitions of $\Sigma
\alpha$ into $\ell$ buckets where the buckets themselves are
indistinguishable. The number of such partitions are given by
@@ -429,13 +430,14 @@
and hence obtain a sequence of alphas to insert into the message.
If we wish to guarantee that neither the first nor the last mix can
-locally know anything the about sensitivity level of a message, we can
+locally know anything about the sensitivity level of a message, we can
simply stipulate for message $M$ that $\alpha^{(0)}_{M} =
\alpha^{(n)}_{M} = 0$ (for a path length of $n+1$). Similarly we
could stipulate that $\alpha^{(1)}_{M} = \alpha^{(n-1)}_{M} \leq
1$, etc. The tradeoff is that with each such move we are reducing
what an adversary observing just the endpoints can learn about
-sensitivity of messages, but fewer nodes in the center learn more
+sensitivity of messages, but a more concentrated set of nodes in the
+center learn more
about the sensitivity of messages. Against an adversary who controls
the central
node(s) combined with, e.g., a global passive observer, our protection
@@ -477,7 +479,7 @@
Our focus so far has been on steady-state networks with
passive adversaries. However, we want to provide uncertainty
even in edge cases where there is a momentarily lull in
-traffic~\cite{pet2003-diaz,trickle02}. An active attacker
+traffic~\cite{mixmaster-reliable,pet2003-diaz,trickle02}. An active attacker
can arrange an edge case via blending attacks, but a passive attacker
can also simply wait for an edge case to occur. For timed mixes there
will be occasions when only a single message enters and leaves the mix in
@@ -538,6 +540,7 @@
(cf.\ Section~\ref{sec:distributing-alpha}).
\section{Strategic Choice of Alpha}
+\label{sec:strategic-choice}
As observed in Section~\ref{sec:passive-adversary-anonymity}, the
anonymity of any message can be improved by greater uncertainty about
@@ -548,7 +551,7 @@
This can be viewed as a commons: everybody will hope that somebody
else takes the latency hit.
-There are two ways to resolve this risk though.
+There are two ways to resolve this risk.
First, note that not all users have the same sensitivity level: some
users favor performance and others favor anonymity. Three factors are
most important in characterizing the utility function for our users:
@@ -589,7 +592,7 @@
the behavior of others, and their own needs. Thus if we can prescribe
recommendations for choice of alpha, for example based on analysis and
observed patterns within the network, we can expect most people to
-heed them. (Although they may not follow them --- we can expect
+heed them. (On the other hand, they may not --- we can also expect
hyperbolic discounting of risk, disregard of risk for expedience,
etc.~\cite{acquisti04}.)
@@ -614,7 +617,7 @@
complex designs that are harder to analyse fully but may provide better
protection against stronger attacks.
-\subsection{Preventing end-to-end timing on alpha mixnets}
+\subsection{Preventing end-to-end timing attacks on alpha mixnets}
The prior work that is probably most similar to alpha mixing is
stop-and-go mixing~\cite{stop-and-go}. In stop-and-go mixing, the sender
@@ -628,13 +631,13 @@
even if some nodes in the path are not adequately synchronized.
On the other hand, this flexibility is also a flaw: an adversary that
is global-passive except for being able to delay messages from a single
-sender could, e.g., batch up a victim's messages and
+sender could batch up a victim's messages and
send them through an alpha mixnet all at once. Unless all the messages have
$\sum \alpha = 0$ the adversary will gain limited information from this attack,
-but can in principle still learn more than from a stop-and-go mixnet.
+but he can still learn more than from a stop-and-go mixnet.
We could include timestamps along with the $\alpha$ that each mix
-receives with a message and require that the message be dropped if it
+receives, and require that the message be dropped if it
arrives more than some delta from the timestamp. This would make
timed alpha mixes essentially equivalent to stop-and-go mixes, which
might prove useful against timing correlations by such an adversary.
@@ -671,7 +674,7 @@
more sensitive by their senders than the first, in a stepped linear
order of sensitivity. And by sending in messages of his own at known
alpha levels above $0$ the adversary can learn the exact levels of the
-messages that emerge between his messages at that alpha level. Then,
+messages that emerge between his messages. Then,
by flooding first $\alpha = \ell$, then $\alpha = \ell-1$, \ldots, then
$\alpha = 0$, the adversary can guarantee a flush of the mix all the
way up to $\alpha = \ell$ while also learning the alpha level of most of
@@ -692,12 +695,12 @@
%An alternate threshold alpha mixing scheme would only fire when
%$n$ messages of $\alpha = 0$ have arrived. That is,
-We could also require that the firing of the mix be
-threshold-and-timed, which would prevent the adversary from triggering
-an alpha-stack dump by only allowing messages of one alpha level to
-emerge in one time interval. It is unclear what the local advantage is
+We could also use a
+threshold-and-timed mix, which would prevent the adversary from triggering
+an alpha-stack dump because only messages of one alpha level will
+emerge in each time interval. It is unclear what the local advantage is
of this vs.\ the above multilevel-batching threshold mix. In addition,
-having timed-and-threshold batching would preclude the predictability
+having threshold-and-timed batching would preclude the predictability
advantages of timed mixes while the multilevel-batching approach could
potentially offer faster performance. The primary risk of not having
timing limitations on mix firing is the end-to-end effects that the
@@ -719,7 +722,7 @@
$\alpha_{M,i+1} = f(\alpha_{M,i}, \mathit{Pool}(\alpha_{M,i}))$
where \\
$\mathit{Pool}(\alpha_{M,i}) = | \{M' : 1 \leq \alpha_{M',i-1} \leq
-\alpha_{M',i-1} \} | $
+\alpha_{M,i-1} \} | $
We believe that $f$ would typically be monotonically nonincreasing.
The sender gives $f_M$ to a mix along with $\alpha_{M}$. We would
@@ -728,7 +731,7 @@
idea is that alphas decrease but only as a function of the
current alpha level of the message and how many messages
are in the pool below it. We have also limited the input of
-$f$ to messages that were given an $\alpha > 0$, although this
+$f$ to messages that arrived with a non-zero alpha, although this
is not necessary. This effectively puts each message in a dynamic
pool, which could also be timed.
@@ -808,11 +811,11 @@
some scenarios of attacker's knowledge about it. However, the more
complex dynamic-alpha mixes and tau mixes are yet to be analysed; this seems
difficult as we need to make some assumptions both about how users
-choose ther security parameters and what the attacker knows about them.
+choose their security parameters and what the attacker knows about them.
\paragraph{User behavior:} However much we postulate about how users
behave, there is no substitute for actually getting user profiles
-and learning how to incent them to behave securely. We expect that
+and learning how to create incentives for secure behavior. We expect that
unless we protect our users, they will try to condition their security
parameter on the threat level of the message; as we have seen above
this reduces rather than increases anonymity.
Index: alpha-mixing.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/alpha-mixing/alpha-mixing.bib,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- alpha-mixing.bib 2 Jun 2006 21:49:33 -0000 1.8
+++ alpha-mixing.bib 8 Jul 2006 19:27:28 -0000 1.9
@@ -547,3 +547,13 @@
month = {June},
}
+@inproceedings{mixmaster-reliable,
+ title = {Comparison between two practical mix designs},
+ author = {Claudia D\'{\i}az and Len Sassaman and Evelyne Dewitte},
+ booktitle = {Proceedings of ESORICS 2004},
+ year = {2004},
+ month = {September},
+ address = {France},
+ series = {LNCS},
+}
+
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxx with
unsubscribe freehaven-cvs in the body. http://freehaven.net/