[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] first draft, magicpoint version of slides for workshop

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] first draft, magicpoint version of slides for workshop
From: arma@seul.org (Roger Dingledine)
Date: Tue, 3 Jun 2003 03:52:40 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Tue, 03 Jun 2003 03:52:48 -0400
Reply-to: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net
Update of /home/freehaven/cvsroot/doc/econp2p03
In directory moria.mit.edu:/home/arma/work/freehaven/doc/econp2p03

Added Files:
	slides-econp2p03.mgp 
Log Message:
first draft, magicpoint version of slides for workshop


--- NEW FILE: slides-econp2p03.mgp ---
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%deffont "standard" xfont "comic sans ms-medium-r"
%%deffont "thick" xfont "arial black-medium-r"
%%deffont "typewriter" xfont "courier new-bold-r"
%%deffont "type2writer" xfont "arial narrow-bold-r"
%%deffont "standard"   tfont "standard.ttf",   tmfont "kochi-mincho.ttf"
%%deffont "thick"      tfont "thick.ttf",      tmfont "goth.ttf"
%%deffont "typewriter" tfont "typewriter.ttf", tmfont "goth.ttf"
%deffont "standard" xfont "helvetica-medium-r", tfont "arial.ttf", tmfont "times.ttf"
%deffont "thick" xfont "helvetica-bold-r", tfont "arialbd.ttf", tmfont "hoso6.ttf"
%deffont "italic" xfont "helvetica-italic-r", tfont "ariali.ttf", tmfont "hoso6.ttf"
%deffont "typewriter" xfont "courier-medium-r", tfont "typewriter.ttf", tmfont "hoso6.ttf"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%
%% Default settings per each line numbers.
%%
%default 1 leftfill, size 8, fore "black", back "white", font "thick", hgap 1
%default 2 size 8, vgap 10, prefix " ", ccolor "black"
%default 3 size 6, bar "gray70", vgap 0
%default 4 size 6, fore "black", vgap 0, prefix " ", font "standard"
%%
%%default 1 area 90 90, leftfill, size 9, fore "yellow", back "blue", font "thick"
%%default 2 size 9, vgap 10, prefix " "
%%default 3 size 7, bar "gray70", vgap 10
%%default 4 size 7, vgap 30, prefix " ", font "standard"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%
%% Default settings that are applied to TAB-indented lines.
%%
%tab 1 size 5, vgap 40, prefix "     ", icon arc "red" 50
%tab 2 size 4, vgap 35, prefix "            ", icon delta3 "blue" 40
%tab 3 size 3, vgap 35, prefix "                        ", icon dia "DarkViolet" 40
%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%center, size 9, font "thick", back "white", fore "black"



Reputation and Anonymity


%size 7
Roger Dingledine

The Free Haven Project
%font "typewriter", fore "blue"
http://freehaven.net/
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Overview

%leftfill
Background on anonymity (economics)

Background on reputation

Why we think reputation can help

Why reputation isn't the silver bullet

Lessons learned, example systems

Open problems

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Many people need anonymity

%leftfill
 Individuals are tracked and profiled daily
	Imagine your dossier in twenty years
	(If that doesn't scare you, think of your kids)

%size 6
 Political dissidents in oppressive countries

 Governments want to do operations secretly

 Corporations vulnerable to traffic analysis:
	VPNs, encryption don't block corporate espionage

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Anonymity is at odds with usability

%leftfill
Anonymity requires 
%cont, font "italic"
inefficiencies 
%cont, font "standard"
in computation, bandwidth, storage

Unlike encryption, it's not enough for just one person to want anonymity: the infrastructure must participate

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Hide users with users

Anonymity systems use messages to hide messages (the more noise, the more anonymous something in that noise is)

Senders are consumers of anonymity, and providers of the cover traffic that creates anonymity for others

Users might be better off on crowded systems, even if those systems have weaker anonymity
designs

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%page
%%
%%More users is good
%%
%%High traffic => better performance
%%
%%Better performance => high traffic
%%
%%Attracts more users: faster 
%%%cont, font "italic"
%%and 
%%%cont, font "standard"
%%more anonymous
%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

But trust bottlenecks can break everything

Nodes with more traffic must be more trusted

Adversary who wants more traffic should provide good service

(and knock down other good providers)

Performance and efficiency metrics 
%cont, font "italic"
cannot 
%cont, font "standard"
distinguish bad guys from good guys

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Strong anonymity requires distributed trust

An anonymity system can't be just for one entity

(even a large corporation or government)

You must carry traffic for others to protect yourself

But those others don't want to trust their traffic to just one entity either

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

An Economics of Anonymity

	Systems need cover traffic (many low-sensitivity users) to attract the high-sensitivity users
	Most users do not want (know they want) anonymity
	Weak security (small mix batch, no-delay proxy) can mean more users
		which can mean 
%cont, font "italic"
stronger 
%cont, font "standard"
anonymity
	High-sensitivity agents have incentive to run nodes
		so they can be certain first node in their routes is trusted
		to attract cover traffic for their messages
	There can be an optimal level of free-riding

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Facets of Reputation

Reputation as a signal:
Tool to predict the future based on past behavior

Reputation as a sanction:
Tool to change the future by giving people incentive to behave well

Tool for risk management

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Reliability is critical for anonymity systems

	Traditional accountability (eg contract) doesn't work

	Since we don't know full network state, transactions tend to be unreliable

	With many nodes, each node won't interact with everybody often
      Free riding, abuse, anonymity attacks

	Shared reputation can maybe help reliability?

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Reputation is problematic for anonymity systems

Attacker or freeloader can cheaply throw away bad-reputation nyms.

Hard to detect/verify a node's behavior while maintaining anonymity.
We had to redesign p2p systems to support this!

Reputation information can be exploited to subvert anonymity.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Reputation can be exploited

	A node can't measure all nodes. If he measures only some, he gives away who he might use.

	A central reputation server can give different info to different people. Must replicate and coordinate?

	Adversary has incentive to get good reputation --- and discredit other nodes --- to see more traffic

	Tension between giving users accurate timely information, and preventing adversary from manipulating user behavior

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Example: Free-route mix-net

Mixes write per-hop receipts to prove good service; witnesses verify and tally failure claims.

But:

	Global witnesses are trust and communication 
%cont, font "italic"
bottlenecks 
%font "standard"

	Owning high reputation nodes means you own more paths?

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Example: Cascade mix-net

	Cascades rearrange periodically (eg daily)

	A node fails its own cascade if it detects misbehavior

	Nodes send test messages to monitor their cascades

	Senders can demonstrate decryptions to show failure

	All nodes in cascade get +1 reputation if it succeeds, -1 if it fails.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

Example: Free Haven

	Decentralized anonymous publishing system

	Publishers decide lifetime of their file

	Tit for tat: I'll store your file if you'll store mine.

	Hard: need reputation system to determine who will cheat

	Harder: how do you verify a claim?

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page

More open topics

	Are dynamic p2p systems that need reliability and don't allow verifying claims doomed? Altruism, other factors?
	Can we model reputation as currency? May allow easier decentralization.
	Incentives: If anonymity for all requires each user doing similar things, how do we deal with users who don't want as much anonymity?
	Do we have to abandon statistical rigor in the face of this uncertainty?


***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Next by Author: [freehaven-cvs] revision of slides based on talking to nick
Next by thread: [freehaven-cvs] revision of slides based on talking to nick
Index(es):
- Author
- Thread