[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] first draft, magicpoint version of slides for workshop
Update of /home/freehaven/cvsroot/doc/econp2p03
In directory moria.mit.edu:/home/arma/work/freehaven/doc/econp2p03
Added Files:
slides-econp2p03.mgp
Log Message:
first draft, magicpoint version of slides for workshop
--- NEW FILE: slides-econp2p03.mgp ---
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%deffont "standard" xfont "comic sans ms-medium-r"
%%deffont "thick" xfont "arial black-medium-r"
%%deffont "typewriter" xfont "courier new-bold-r"
%%deffont "type2writer" xfont "arial narrow-bold-r"
%%deffont "standard" tfont "standard.ttf", tmfont "kochi-mincho.ttf"
%%deffont "thick" tfont "thick.ttf", tmfont "goth.ttf"
%%deffont "typewriter" tfont "typewriter.ttf", tmfont "goth.ttf"
%deffont "standard" xfont "helvetica-medium-r", tfont "arial.ttf", tmfont "times.ttf"
%deffont "thick" xfont "helvetica-bold-r", tfont "arialbd.ttf", tmfont "hoso6.ttf"
%deffont "italic" xfont "helvetica-italic-r", tfont "ariali.ttf", tmfont "hoso6.ttf"
%deffont "typewriter" xfont "courier-medium-r", tfont "typewriter.ttf", tmfont "hoso6.ttf"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%
%% Default settings per each line numbers.
%%
%default 1 leftfill, size 8, fore "black", back "white", font "thick", hgap 1
%default 2 size 8, vgap 10, prefix " ", ccolor "black"
%default 3 size 6, bar "gray70", vgap 0
%default 4 size 6, fore "black", vgap 0, prefix " ", font "standard"
%%
%%default 1 area 90 90, leftfill, size 9, fore "yellow", back "blue", font "thick"
%%default 2 size 9, vgap 10, prefix " "
%%default 3 size 7, bar "gray70", vgap 10
%%default 4 size 7, vgap 30, prefix " ", font "standard"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%
%% Default settings that are applied to TAB-indented lines.
%%
%tab 1 size 5, vgap 40, prefix " ", icon arc "red" 50
%tab 2 size 4, vgap 35, prefix " ", icon delta3 "blue" 40
%tab 3 size 3, vgap 35, prefix " ", icon dia "DarkViolet" 40
%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%center, size 9, font "thick", back "white", fore "black"
Reputation and Anonymity
%size 7
Roger Dingledine
The Free Haven Project
%font "typewriter", fore "blue"
http://freehaven.net/
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Overview
%leftfill
Background on anonymity (economics)
Background on reputation
Why we think reputation can help
Why reputation isn't the silver bullet
Lessons learned, example systems
Open problems
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Many people need anonymity
%leftfill
Individuals are tracked and profiled daily
Imagine your dossier in twenty years
(If that doesn't scare you, think of your kids)
%size 6
Political dissidents in oppressive countries
Governments want to do operations secretly
Corporations vulnerable to traffic analysis:
VPNs, encryption don't block corporate espionage
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Anonymity is at odds with usability
%leftfill
Anonymity requires
%cont, font "italic"
inefficiencies
%cont, font "standard"
in computation, bandwidth, storage
Unlike encryption, it's not enough for just one person to want anonymity: the infrastructure must participate
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Hide users with users
Anonymity systems use messages to hide messages (the more noise, the more anonymous something in that noise is)
Senders are consumers of anonymity, and providers of the cover traffic that creates anonymity for others
Users might be better off on crowded systems, even if those systems have weaker anonymity
designs
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%page
%%
%%More users is good
%%
%%High traffic => better performance
%%
%%Better performance => high traffic
%%
%%Attracts more users: faster
%%%cont, font "italic"
%%and
%%%cont, font "standard"
%%more anonymous
%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
But trust bottlenecks can break everything
Nodes with more traffic must be more trusted
Adversary who wants more traffic should provide good service
(and knock down other good providers)
Performance and efficiency metrics
%cont, font "italic"
cannot
%cont, font "standard"
distinguish bad guys from good guys
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Strong anonymity requires distributed trust
An anonymity system can't be just for one entity
(even a large corporation or government)
You must carry traffic for others to protect yourself
But those others don't want to trust their traffic to just one entity either
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
An Economics of Anonymity
Systems need cover traffic (many low-sensitivity users) to attract the high-sensitivity users
Most users do not want (know they want) anonymity
Weak security (small mix batch, no-delay proxy) can mean more users
which can mean
%cont, font "italic"
stronger
%cont, font "standard"
anonymity
High-sensitivity agents have incentive to run nodes
so they can be certain first node in their routes is trusted
to attract cover traffic for their messages
There can be an optimal level of free-riding
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Facets of Reputation
Reputation as a signal:
Tool to predict the future based on past behavior
Reputation as a sanction:
Tool to change the future by giving people incentive to behave well
Tool for risk management
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Reliability is critical for anonymity systems
Traditional accountability (eg contract) doesn't work
Since we don't know full network state, transactions tend to be unreliable
With many nodes, each node won't interact with everybody often
Free riding, abuse, anonymity attacks
Shared reputation can maybe help reliability?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Reputation is problematic for anonymity systems
Attacker or freeloader can cheaply throw away bad-reputation nyms.
Hard to detect/verify a node's behavior while maintaining anonymity.
We had to redesign p2p systems to support this!
Reputation information can be exploited to subvert anonymity.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Reputation can be exploited
A node can't measure all nodes. If he measures only some, he gives away who he might use.
A central reputation server can give different info to different people. Must replicate and coordinate?
Adversary has incentive to get good reputation --- and discredit other nodes --- to see more traffic
Tension between giving users accurate timely information, and preventing adversary from manipulating user behavior
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Example: Free-route mix-net
Mixes write per-hop receipts to prove good service; witnesses verify and tally failure claims.
But:
Global witnesses are trust and communication
%cont, font "italic"
bottlenecks
%font "standard"
Owning high reputation nodes means you own more paths?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Example: Cascade mix-net
Cascades rearrange periodically (eg daily)
A node fails its own cascade if it detects misbehavior
Nodes send test messages to monitor their cascades
Senders can demonstrate decryptions to show failure
All nodes in cascade get +1 reputation if it succeeds, -1 if it fails.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
Example: Free Haven
Decentralized anonymous publishing system
Publishers decide lifetime of their file
Tit for tat: I'll store your file if you'll store mine.
Hard: need reputation system to determine who will cheat
Harder: how do you verify a claim?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
More open topics
Are dynamic p2p systems that need reliability and don't allow verifying claims doomed? Altruism, other factors?
Can we model reputation as currency? May allow easier decentralization.
Incentives: If anonymity for all requires each user doing similar things, how do we deal with users who don't want as much anonymity?
Do we have to abandon statistical rigor in the face of this uncertainty?
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/