[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] start to edit 2.3, start a conclusion.

To: freehaven-cvs@xxxxxxxxxxxxx
Subject: [freehaven-cvs] start to edit 2.3, start a conclusion.
From: arma@xxxxxxxx
Date: Fri, 10 Mar 2006 18:27:29 -0500 (EST)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Fri, 10 Mar 2006 18:27:53 -0500
Reply-to: freehaven-dev@xxxxxxxxxxxxx
Sender: owner-freehaven-cvs@xxxxxxxxxxxxx
Update of /home/freehaven/cvsroot/doc/alpha-mixing
In directory moria:/home/arma/work/freehaven/doc/alpha-mixing

Modified Files:
	alpha-mixing.tex 
Log Message:
start to edit 2.3, start a conclusion.


Index: alpha-mixing.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/alpha-mixing/alpha-mixing.tex,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -d -r1.13 -r1.14
--- alpha-mixing.tex	10 Mar 2006 23:22:40 -0000	1.13
+++ alpha-mixing.tex	10 Mar 2006 23:27:27 -0000	1.14
@@ -208,7 +208,7 @@
 message entering the mix, e.g., that this is provided to the mix
 encrypted together with the message. However we do allow that the
 adversary might know the strategy by which alpha was chosen; we
-examine this issue further in Section \ref{Attacker-knowledge}. What
+examine this issue further in Section~\ref{Attacker-knowledge}. What
 should that strategy be? It would seem that choosing higher alphas
 would correspond to greater anonymity for messages. We now make this
 more precise.
@@ -270,7 +270,7 @@
 $alpha$-range for any message improves anonymity for all messages.
 
 \subsection{Attacker Knowledge}
-\label{Attacker-knowldge}
+\label{Attacker-knowledge}
 
 In the previous section we noted that the anonymity properties
 provided by alpha mixes depend on what the attacker knows about the
@@ -327,32 +327,42 @@
 and the anonymity is the entropy of this distribution. Clearly, the
 more the attacker knows about alpha, the lower the anonymity.
 
-\subsection{Correlating Offensiveness with Security}
+\subsection{Correlating message content with requested security}
 
 Now let us study an interesting example which has long been known
 intuitively... Suppose the attacker knows that sender $S$ only sends
 with a high security parameter (let's say alpha of 5). He now sees a
-message from sender $S$ at round 0, and a message with a death threat
+message from sender $S$ at round 0, and a message detailing Enron's
+finances emerges
 at round 5. Suppose further that all other messages have an alpha of
-0. Our above definitions (naturally) give the offensive message the
-anonymity set of all the sender of round 5 union $S$. Nevertheless, we
-conjecture the jury will tend to suspect that $S$ sent the
-message. How can we reconcile the opinion of the jury with our
+0. Our above definitions give the target message the
+anonymity set of all the senders of round 5 union $S$. Nevertheless, we
+conjecture the attacker will tend to suspect that $S$ sent the
+message. How can we reconcile the intuition of the attacker with our
 formalism above and how can we design the system to avoid such a
 judgement?
 
-The jury is likely to be correct (though hopefully not beyond a
-reasonable doubt from this descriptionas we argue below) -- what we
+The attacker is likely to be correct
+%(though hopefully not beyond a
+%reasonable doubt from this description as we argue below) 
+--- what we
 ignore here is the fact that the choice of the security parameter is
-likely \emph{conditional} on the offensiveness of the message and the
+likely \emph{conditional} on the importance of the message and the
 attacker has used this fact to form his judgement. In order to avoid
-this, we must (paradoxically!!)  ignore this fact completely and pick
-alphas from a distribution which is independent of the receiver (this
-distribution, of course, is allowed to be conditional on the utility
-function!). Indeed, one must convince the jury that the sender *could
+this, we must (paradoxically!) ignore this fact completely and pick
+alphas from a distribution which is independent of the receiver and
+the message's content. (Of course, this
+distribution can still be conditional on the utility
+function.)
+
+Of course, there are still external factors to consider. If 
+Indeed, we can go a step further and design the software so that the
+sender can not influence his choice of 
+
+one must convince the jury that the sender *could
 not* have picked the alphas any other way (otherwise those with high
 latency/security tradeoff will be more likely to be suspected of dodgy
-things as is indeed the case in practice as no dobt every anonymity
+things as is indeed the case in practice as no doubt every anonymity
 researcher has experienced. In anonymity language, the attacker will
 try determine the sender's security parameter by mounting an
 intersection attack. We will see that some alpha strategies are more
@@ -371,30 +381,29 @@
 that the message takes. There are two problems. First, if a bad mix
 observes one of the alphas, it should get as little information as
 possible about the other alphas of this message\footnote{Note the
-similarity between picking an alpha and message splitting \cite{SM05}
--- in both cases they are distributions over partitions.}
+similarity between picking an alpha and message splitting~\cite{SM05}
+--- in both cases they are distributions over partitions.}
 
 Secondly, it should be hard for the bad mixes to link any alpha
 parameter to a particular sender, i.e. figure out how much any sender
-is concerned about security for the reasons mentioned in the previous
-section.
+is concerned about security. This matters for the reasons described in
+the previous section.
 
 One possible solution for picking a sequence of $\alpha^{(i)}$ (where
 the `$(i)$' represents the $i^{th}$ mix in the route) is precisely to
 pick from a uniform distribution over the partitions of $\Sigma
-\alpha$ into $l$ buckets where the buckets themselves are
+\alpha$ into $\ell$ buckets where the buckets themselves are
 indistinguishable. The number of such partitions are given by
 
 \[
-\sum_k=1^l Q(\Sigma \alpha, k)
+\sum_k=1^\ell Q(\Sigma \alpha, k)
 \]
 
 where $Q(n,k)$ denotes the number of ways of partitioning $n$ into
 exactly $k$ distinct parts. Generating values from such a distribution
-is possible, for instance, using the algorithm described in
-\cite{devroye86}. This seems to deal with the first problem (the
 analysis to show this is beyond the scope of this paper). For the
-second part, we need to decide whether the sender cares
+second part, it depends what the sender wants to protect:
+does she care
 about having an estimate of the security parameter
 associated with just herself, with herself and the recipient,
 or just the recipient. Note that if the first and
@@ -412,7 +421,7 @@
 and hence obtain a sequence of alphas to insert into the message.
 
 If we wish to guarantee that neither the first nor the last mix can
-locally know anything about sensitivity level of a message, we can
+locally know anything about the sensitivity level of a message, we can
 simply stipulate for message $M$ that $\alpha^{(0)}_{M,0} =
 \alpha^{(n)}_{M,0} = 0$ (for a path length of $n+1$. Similarly we
 could stipulate that $\alpha^{(1)}_{M,0} = \alpha^{(n-1)}_{M,0} \leq
@@ -560,10 +569,10 @@
 Alpha mixing itself is likely to affect the applications that can be
 securely used and how, so recommendations are likely to evolve.
 Initial recommendations can be guided by existing anonymity networks.
-Traffic that must arrive in realtime obiously must have $\sum \alpha =
+Traffic that must arrive in realtime obviously must have $\sum \alpha =
 0$.  For more sensitive traffic, we might initially try to follow
 networks such as Mixminion and Mixmaster. But how can we do that? 
-Thes use a dynamic batching strategy in which messages are chosen
+These use a dynamic batching strategy in which messages are chosen
 for the current batch randomly by the mix from a collective pool
 while alpha mixing is based on individual choices made by the sender.
 We now turn to how to combine these features.
@@ -638,6 +647,24 @@
 
 \section{Conclusion}
 
+In this paper we have presented a mix technique that works together
+with traditional batching strategies to allow senders with varying
+anonymity and performance goals to share the same network. Aside from
+simply letting high-sensitivity users choose to get higher anonymity for
+their messages, the key property it provides is a network effect: when
+\emph{some} users ask for higher anonymity, \emph{all} users can benefit.
+
+We have only begun to explore the possibilities and analysis of this
+design. Future work includes:
+
+\paragraph{Multiple messages and stream-based communication:} This paper
+has assumed the \emph{single-message model}, where each sender produces
+individual uncorrelated messages. Much of the reason for Tor's success
+is not just its low overhead, but rather its support for bidirectional
+streams. But the \emph{stream model} introduces many end-to-end anonymity
+attacks that seem hard to resolve simply with better batching strategies.
+
+...
 
 %%%% Stuff with 4s is stuff from alpha strategy section
 %%%% that I didn't want to toss just yet

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxx with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Author: [freehaven-cvs] clean up the first few pages more
Next by Author: [freehaven-cvs] add back in the 2.2 and other changes and conclusion
Previous by thread: [freehaven-cvs] tpo
Next by thread: [freehaven-cvs] Minor edits all over
Index(es):
- Author
- Thread