[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] cleanup and some new sections at the end
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03
Modified Files:
econymics.bib econymics.tex
Log Message:
cleanup and some new sections at the end
Index: econymics.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.bib,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- econymics.bib 13 Sep 2002 00:57:13 -0000 1.2
+++ econymics.bib 13 Sep 2002 20:05:48 -0000 1.3
@@ -1,9 +1,25 @@
+@Misc{advogato,
+ author = {Raph Levien},
+ title = {Advogato's Trust Metric},
+ howpublished = {\url{http://www.advogato.org/trust-metric.html}}
+}
+
@Misc{anonymizer,
key = {anonymizer},
title = {{T}he {A}nonymizer},
- howpublished = {$<$\texttt{http://www.anonymizer.com/}$>$}
-}
+ howpublished = {\url{http://www.anonymizer.com/}}
+}
+
+@InProceedings{back01,
+ author = {Adam Back and Ulf M\"{o}ller and Anton Stiglic},
+ title = {Traffic Analysis Attacks and Trade-Offs in Anonymity
+ Providing Systems},
+ booktitle = {Information Hiding, (IH 2001), {LNCS} Vol.\ 2137},
+ pages = {245--257},
+ year = 2001,
+ publisher = {Springer-Verlag}
+}
@InProceedings{Diaz02,
author = {Claudia Diaz and Stefaan Seys and Joris Claessens
@@ -13,7 +29,6 @@
year = 2002,
editor = {Paul Syverson and Roger Dingledine},
publisher = {Springer Verlag, LNCS (forthcoming)}
-
}
@Book{diffiebook,
@@ -22,7 +37,30 @@
Encryption},
publisher = {MIT Press},
year = 1998
-}
+}
+
+@InProceedings{mix-acc,
+ author = {Roger Dingledine and Michael J. Freedman and David
+ Hopwood and David Molnar},
+ title = {{A Reputation System to Increase MIX-net
+ Reliability}},
+ booktitle = {Information Hiding, 4th International Workshop (IH 2001)},
+ pages = {126--141},
+ year = 2001,
+ editor = {Ira Moskowitz},
+ publisher = {Springer-Verlag, LNCS 2137},
+ note = {\newline \url{http://www.freehaven.net/papers.html}},
+}
+
+@InProceedings{casc-rep,
+ author = {Roger Dingledine and Paul Syverson},
+ title = {{Reliable MIX Cascade Networks through Reputation}},
+ booktitle = {Financial Cryptography (FC '02)},
+ year = 2002,
+ editor = {Matt Blaze},
+ publisher = {Springer Verlag, LNCS (forthocoming)},
+ note = {\newline \url{http://www.freehaven.net/papers.html}}
+}
@Article{fudenberg88,
author = {Drew Fudenberg and David K. Levine},
@@ -56,6 +94,14 @@
note = {\url{http://www.freehaven.net/papers.html}}
}
+@InProceedings{sybil,
+ author = "John Douceur",
+ title = {{The Sybil Attack}},
+ booktitle = "1st International Peer To Peer Systems Workshop (IPTPS 2002)",
+ month = Mar,
+ year = 2002,
+ url = {\url{http://www.cs.rice.edu/Conferences/IPTPS02/}}
+}
@InProceedings{syverson_2000,
author = {Paul F. Syverson and Gene Tsudik and Michael G. Reed
Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- econymics.tex 13 Sep 2002 19:50:12 -0000 1.6
+++ econymics.tex 13 Sep 2002 20:05:48 -0000 1.7
@@ -72,12 +72,12 @@
\newcommand{\workingnote}[1]{} % The version that hides the note.
%\newcommand{\workingnote}[1]{(**#1)} % The version that makes the note visible.
-\title{Towards an Econymics ;-)}
+%\title{Towards an Econymics ;-)}
%\title{Open Issues in the Economics of Anonymity}
%\title{Issues in the Economics of Anonymity}
%\title{Topics in the Economics of Anonymity}
%\title{The Economics of Anonymity}
-%\title{On the Economics of Anonymity}
+\title{On the Economics of Anonymity}
\author{Alessandro Acquisti\inst{1} \and Roger Dingledine\inst{2} \and Paul Syverson\inst{3}}
\institute{SIMS, UC Berkeley
\email{(acquisti@sims.berkeley.edu)}
@@ -674,26 +674,85 @@
\item Bilateral contracts (see also below, ``Extensions'') between agents
to agree on cooperation and punishments for breaching cooperation.
-\item Reputation: We already had a bunch of stuff about reputation in the
-paper that prompted this work. We should mine that for here. It can play a
-role in various forms
+\item Reputation might want a short discussion here too?
-\begin{itemize}
-\item mojonation: fill in the details
+\end{enumerate}
-\item high performing high volume ``high'' nodes can attract more traffic,
-get more cover for their highly sensitive anonymous communication
+\section{Alternate incentive mechanisms}
-\item related to the ``special agent'' above. Some nodes will attach a
-value to having good mix-nets available. Altruistic self interest or some
-such. They want the world to be a better place. We shouldn't ignore that as
-a factor in such things. Similarly, one could imagine government services
-for same (even if most of the current community can't imagine such a thing
-;-)
-\end{itemize}
-\end{enumerate}
+Reputation: this comes either in the form of "i want a higher reputation
+so i can get more cover traffic", as explained above, but also is "i think
+offering this service is good for the world. gaining a higher reputation
+makes me feel warm and fuzzy inside, because people see how generous i am
+and how concerned with privacy i am." this last group is a critical group
+to describe, even if it's not in our model very well, because to date that's
+where most node operators come from. similarly we hope to get governments
+to run nodes (and in germany they're already working on a government-run
+mix cascade).
-\section{Extensions}
+mojonation: we might be able to get the system to work by building in a
+micropayments system, like mojo nation did. however, its design isn't
+as applicable here as we might hope.
+
+\section{A few more roadblocks}
+
+\subsection{Authentication in a volunteer economy}
+
+Our discussions above indicate that it may in fact be plausible to build
+a strong anonymity infrastructure from a wide-spread group of independent
+nodes that each want good anonymity for their own purposes. In fact,
+the more jurisdictionally diverse this group of nodes, the more robust
+the overall system.
+
+However, volunteers are problems: users don't know who they're dealing
+with. A disruptive bad guy can do whatever he wants. We can try to monitor
+system components, but this is harder to do in a decentralized dynamic
+system. It is possible to structure system protocols to create better
+incentives for honest principals and to catch bad performance by others
+\cite{mix-acc,casc-rep}. But even when this is feasible, identifying
+individuals is a problem. Classic authentication considers whether it's
+the right entity, but not whether the authenticated parties are distinct
+from one another. One person may create and control several distinct
+online identities. This \emph{pseudospoofing} problem \cite{sybil}
+is a nightmare when an anonymity infrastructure is scaled to a large,
+diffuse, peer-to-peer design; it remains one of the main open problems
+in the design of any decentralized anonymity service. The Advogato trust
+metric \cite{advogato} and similar techniques rely on humans to make
+initial trust decisions, and then bound trust flow over a certification
+graph. However, so far none of these trust flow approaches have provided
+a clear solution to the problem. Another potential solution, a global
+PKI to ensure unique identities, is unlikely to emerge any time soon.
+
+\subsection{Usability: customization and preferential service are risky too}
+
+Leaving security decisions up to the user is traditionally a way to foist
+cost or liability from the vendor to the customer; but in strong anonymity
+systems it may be unavoidable. For example, the sender might choose how
+many nodes to use, whether to use mostly nodes run by her friends, whether
+to send in the morning or evening, etc. After all, only she knows the
+value of the transaction. But these parameters can affect anonymity ---
+different usage patterns can help distinguish and track users.
+
+Choosing one or a few sets of system-wide security parameters can help
+protect users by keeping the noise fairly uniform, but again we're
+introducing inefficiencies; users that don't need as much protection may
+feel they're wasting resources. Yet we risk anonymity if we let users
+customize or optimize their client's behavior. We can't even let users pay
+for better service or preferential treatment --- the hordes in the coach
+seats are probably better off anonymity-wise than those in first class.
+However, ``in anonymity systems usability, efficiency, reliability and
+cost become \emph{security} objectives because they affect the size of the
+user base which in turn affects the degree of anonymity it is possible
+to achieve'' \cite{back01}. It remains to be seen whether designs and
+incentives, for both system users and system components, can be structured
+to meet all of these objectives sufficiently to create viable systems.
+
+\section{Future Work}
+
+We have described a basic model for characterizing and analyzing the
+various incentives that participants have to act either as senders or
+as nodes in strong anonymity infrastructures. There are a number of
+directions for future research:
\begin{itemize}
\item Dummy traffic increases costs but it also increases anonymity. Here
@@ -722,7 +781,7 @@
done in economics to study, for example, Hal Varian's model of sales.
\end{itemize}
-\bibliographystyle{alpha}
+\bibliographystyle{plain}
\bibliography{econymics}
\end{document}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/