[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[freehaven-cvs] rework the conclusion some more

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] rework the conclusion some more
From: arma@seul.org (Roger Dingledine)
Date: Sun, 2 May 2004 19:58:27 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Sun, 02 May 2004 19:58:56 -0400
Reply-to: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net

Update of /home2/freehaven/cvsroot/doc/e2e-traffic
In directory moria.mit.edu:/tmp/cvs-serv30208

Modified Files:
	e2e-traffic.bib e2e-traffic.pdf e2e-traffic.tex 
Log Message:
rework the conclusion some more


Index: e2e-traffic.bib
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.bib,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- e2e-traffic.bib	2 May 2004 22:16:33 -0000	1.14
+++ e2e-traffic.bib	2 May 2004 23:58:24 -0000	1.15
@@ -266,7 +266,7 @@
   month = {August},
   howpublished = {Usenet post},
   note = {\url{http://www.eskimo.com/~weidai/pipenet.txt} First mentioned
-      in a post to the cypherpunks list, Feb.\ 1995.},
+      to the cypherpunks list, Feb.\ 1995.},
 }
 
 @InProceedings{raymond00,
@@ -444,3 +444,13 @@
   year = {2004},
   howpublished = {Forthcoming}
 }
+
+@inproceedings{econymics,
+  title = {On the Economics of Anonymity}, 
+  author = {Alessandro Acquisti and Roger Dingledine and Paul Syverson}, 
+  booktitle = {Financial Cryptography}, 
+  year = {2003}, 
+  editor = {Rebecca N. Wright}, 
+  publisher = {Springer-Verlag, LNCS 2742}, 
+}
+

Index: e2e-traffic.pdf
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.pdf,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
Binary files /tmp/cvsERn1AD and /tmp/cvssbmZE9 differ

Index: e2e-traffic.tex
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.tex,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -d -r1.51 -r1.52
--- e2e-traffic.tex	2 May 2004 23:45:42 -0000	1.51
+++ e2e-traffic.tex	2 May 2004 23:58:25 -0000	1.52
@@ -1017,39 +1017,47 @@
 %\label{subsubsec:future-work}
 %Many questions remain before the effectiveness of long-term
 %intersection attacks can be considered a closed problem.
-Our model differs most from reality in four ways.
+Our model differs most from reality in five ways.
 
 First,
 although real social networks behave more like scale-free networks than like
-the original disclosure attack's model, our models for user behavior still
+the original disclosure attack's model, our {\bf models for user behavior} still
 have room for improvement. Real users probably do not send
 messages with a time-invariant geometric distribution: most people's email
 habits are based on a 24-hour day, and a 7-day week.  Early research on
 traffic patterns in actual mix-nets \cite{mixvreliable} suggests that this
 variation is probably significant.
 
-Second, real user behavior changes over
-time. Section~\ref{subsec:strenghtening} discusses how an attacker might
+Second, {\bf real user behavior changes over
+time}. Section~\ref{subsec:strenghtening} discusses how an attacker might
 handle a scenario where the background traffic changes slowly over
 time, and perhaps a similar approach would also help against a sender whose
 recipients were not constant.  In the absence of a model for time-variant
 user behavior, however, we have not simulated attacks for these cases.
 
-Third, it seems clear that systems with message linkability, such as pseudonymous
+Third, it seems clear that systems with {\bf message linkability},
+such as pseudonymous
 services, will fall to intersection attacks far faster than anonymizing
 services without linkability.  How linkable are messages ``in the wild,'' how
 much does this linkability help an attacker, and how can it be mitigated?
 
 Fourth, real attackers are not limited to passive observation. We should
 generalize our attacks
-to incorporate information gained by an active
-attacker.  Past work on avoiding blending attacks~\cite{trickle02}
+to incorporate information gained by an {\bf active attacker}.  Past work on
+avoiding blending attacks~\cite{trickle02}
 has concentrated on preventing an attacker from being certain of
 Alice's recipients---but in fact, an active attack that only reveals
-slight probabilities about Alice's recipients could provide information
-to speed up the intersection attacks in this paper.
-% also: run a server, knock down nodes, improve linkability, convince Alice
-% to be vulnerable.
+slight probabilities could speed up the attacks in this
+paper.
+
+Fifth, Alice has incentive to {\bf operate a mix}, so an attacker
+cannot be sure if she is originating messages or just relaying
+them~\cite{econymics}. Can we treat this relayed traffic (which goes to
+actual recipients) as equivalent to padding (which goes to no recipients)?
+Can Alice employ this relayed traffic for a cheaper padding
+regime, without opening herself up to influence from active attacks?
+
+% also: knock down nodes, convince Alice to be vulnerable.
 
 % Is this attack better or worse than other attacks?  Probably neither:
 % this attack speeds up blending attacks, and relaxes the amount of
@@ -1096,7 +1104,7 @@
 network in Alice's absence.  On the other hand, significant padding volumes
 may be too cumbersome for most users, and perfect consistency (sending
 padding from the moment a network goes online until it shuts
-down) is similarly difficult.
+down) is likely impractical.
 
 Users should be educated about the effects of {\bf message volume}: sending
 infrequently is relatively safe, especially if the user doesn't repeat the
@@ -1122,11 +1130,9 @@
 %you can defend _which senders_ against an adversary who sees _how much_.
 %We show that mix networks are not secure against this global observer,
 %and that they can also be defeated by partial observers.
-Instead, we should attempt to quantify {\it how long} our designs can defend
+Instead, we should attempt to quantify the risk: {\it how long} our
+designs can defend
 {\it which senders} against an adversary who sees {\it how much}.
-We hole that this paper helps move anonymity system threat analysis
-towards quantification of risk for given parameters of
-adversaries, senders, and mixes.
 
 % We said that fixed entry/exit might help too, but I now think it
 % wouldn't.  Suppose the attacker observes c nodes out of n.  If I

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/

Prev by Author: [freehaven-cvs] more cleanup, particularly in the conclusion
Next by Author: [freehaven-cvs] tweaks
Previous by thread: [freehaven-cvs] Add a test for another desirable point.
Next by thread: [freehaven-cvs] tweaks
Index(es):
- Author
- Thread