[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] checkpointing some changes to section 3

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] checkpointing some changes to section 3
From: arma@seul.org (Roger Dingledine)
Date: Sun, 15 Sep 2002 15:00:33 -0400 (EDT)
Delivered-To: archiver@seul.org
Delivered-To: freehaven-cvs-outgoing@seul.org
Delivered-To: freehaven-cvs@seul.org
Delivery-Date: Sun, 15 Sep 2002 15:00:34 -0400
Reply-To: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03

Modified Files:
	econymics.tex 
Log Message:
checkpointing some changes to section 3


Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- econymics.tex	15 Sep 2002 17:22:19 -0000	1.11
+++ econymics.tex	15 Sep 2002 19:00:30 -0000	1.12
@@ -171,14 +171,14 @@
 the usual solutions of suspending users or otherwise
 holding them accountable.
 
-Unlike encryption (confidentality), it's not enough for the communicating
+Unlike with encryption, it's not enough for the communicating
 end parties to cooperate on anonymity simply using whatever communications
 infrastructure is available. Alice cannot decide by herself that she
 wants her message to be anonymous --- the infrastructure itself must
 cooperate. Anonymity systems use messages to hide messages: senders
 are consumers of anonymity and also providers of the cover traffic that
-creates anonymity for others. From an anonymity perspective, users are
-always better off going where the noise is provided.
+creates anonymity for others. Thus users are always better off going
+where the noise is provided.
 
 High traffic is necessary for strong anonymity. High traffic and
 better performance complement each other: a system that processes
@@ -191,9 +191,9 @@
 to bridge the trust bottlenecks.
 
 Anonymity systems must be robust against a surprisingly wide variety
-of active attacks to break anonymity \cite{back01,raymond00}. Adversaries
+of attacks to break anonymity \cite{back01,raymond00}. Adversaries
 can also attack to reduce the efficiency or reliability of nodes, or
-to make it more expensive for operators to continue running nodes. All
+to increase the cost to operators of running nodes. All
 of these factors combine to threaten the \emph{anonymity} of the system.
 As Back et al point out, ``in anonymity systems usability,
 efficiency, reliability and cost become \emph{security} objectives because
@@ -209,9 +209,9 @@
 
 In this section and the following we formalize the economic analysis of why
 people might want to send messages through mix-nets. Here we discuss the
-incentives for the agents to participate to a system as senders or as nodes,
-and \ we start proposing a general framework for the analysis. In the next
-section we consider various applications of that framework.
+incentives for the agents to participate either as senders or as nodes,
+and we start proposing a general framework for the analysis. In the next
+section we consider various applications of our framework.
 
 We start from the assumption that agents value their privacy, hence they
 have an interest in using a mix-net system. This interest might be related
@@ -220,50 +220,25 @@
 value anonymity differently.
 
 The strategy space $S$ for each agent $i$ $\in I$ (where $I=\left\{
-1,2,...,n\right\} $) willing to use the mix-net is the set of strategies $s$
+1 \dots n\right\}$) willing to use the mix-net is the set of strategies $s$
 based on the following feasible actions $a$:
 
 \begin{enumerate}
-\item  Act simply as user of the system, by:
-
-\begin{itemize}
-\item  sending messages through the system, $a^{s}$,
-
-\item  or/and agreeing to receive dummy traffic\footnote{%
-We make here the assumption that users of the system are interested in
-sending information anonymously; receiving valid traffic from the system is
-not an action of `using the system'. This might not always be the case,
-e.g., for remailer mixes with reply blocks or for bidirectional connections
-as in Crowds or Onion Routing. And, it may have costs and/or benefits.}
-through the system, $a^{r}$;%
-%[[with reference to the footnote, actually I guess that we do not even need this assumption, i.e. my writing ``sending messages through the system'' was a bit restrictive; my impression is that the model we are working on work also when ``using'' the system means both sending and receiving; if you agree with this we can change above the word ``sending'' into ``sending and receiving own traffic'']]
-\end{itemize}
-
-\item  Act as honest node, $a^{h}$, which can involve:
-
-\begin{itemize}
-\item  receiving and forwarding traffic (and, in particular, acting as exit
-nodes),
-
-\item  keeping messages secret,
-
-\item  and possibly creating dummy traffic.
-\end{itemize}
-
-\item  Act as dishonest node, $a^{d}$, which can involve:
-
-\begin{itemize}
-\item  pretending to forward traffic but not doing so,
+\item  Act simply as a user of the system, $a^s$, specifically by sending
+(and receiving) her own traffic over the system; and/or agreeing to
+receive dummy traffic through the system, $a^r$.
 
-\item  or, possibly pretending to create dummy traffic but not doing so, or
-sending dummy traffic easily recognizable as such,
+\item  Act as an honest node, $a^{h}$, which can involve receiving
+and forwarding traffic (and possibly acting as an exit node), keeping
+messages secret, and possibly creating dummy traffic.
 
-\item  or, possibly using the traffic which passes to compromise the
-anonymity of the system.
-\end{itemize}
+\item  Act as dishonest node, $a^{d}$, which can involve pretending to
+forward traffic but not doing so, pretending to create dummy traffic but
+not doing so (or sending dummy traffic easily recognizable as such), or
+using the traffic which passes to compromise the anonymity of the system.
 
-\item  Send messages through conventional, non anonymous channels, $a_{n}$
-(or sending no message at all).
+\item  Send messages through conventional non-anonymous channels, $a_{n}$
+(or send no messages at all).
 \end{enumerate}
 
 For each complete strategy profile $s=\left( s_{1},...,s_{n}\right) $, each
@@ -273,88 +248,82 @@
 \begin{enumerate}
 \item  Benefits of sending messages anonymously. We model them as a function
 of the subjective evaluation the agent places on the information
-successfully arriving at its destination, $v_{r}$, the subjective value of
-the information remaining anonymous, $v_{a}$, the perceived level of
-anonymity in the system, $p_{a}$ (i.e., the probability that sender and
-message will remain anonymous), and the perceived level of reliability in
-the system, $p_{r}$ (i.e., the probability that the message will be
-delivered). The subjective value of the information being sent\ anonymously
+successfully arriving at its destination, $v_{r}$; the subjective value of
+the information remaining anonymous, $v_{a}$; the perceived level of
+anonymity in the system, $p_{a}$ (the probability that sender and
+message will remain anonymous); and the perceived level of reliability in
+the system, $p_{r}$ (the probability that the message will be
+delivered). The subjective value of the information being sent anonymously
 can be related to the profits the agent expects to make by keeping that
 information anonymous, or the losses the agents expects to avoid by keeping
 that information anonymous. We represent the level of anonymity in the
 system as a function of the traffic (number of agents sending messages in
-the system, $n_{s}$), the number mixes (number of agents acting as honest
-nodes, $n_{h}$ and as dishonest nodes $n_{d}$), and the decisions of the
-agent. We assume that this function maps these factor into a probability
-space,  $p$.\footnote{%
-Simple probability may not be the ultimate best measure of anonymity. For
-example, it is likely that information theoretic metrics as in \cite
-{Serj02,Diaz02} are better. However, probabilities are typically simpler and
-also better than the common ``anonymity set'' representation of anonymity.
-In particular, work on information theoretic metrics show how the level of
-anonymity achieved by an agent in a mix-net system is associated to the
-particular structrure of the system. Using a probability function allows us
-to model certain aspects of these systems, while etailed discussion of those
-metrics are beyond the scope of this paper.} In particular:
+the system, $n_{s}$), the number of mixes (number of agents acting as honest
+nodes, $n_{h}$ and as dishonest nodes, $n_{d}$), and the decisions of the
+agent. We assume that this function maps these factors into a probability
+space, $p$.\footnote{%
+Information theoretic anonymity metrics \cite{Diaz02,Serj02} probably
+provide better measures of anonymity: such work shows how the level
+of anonymity achieved by an agent in a mix-net system is associated to
+the particular structure of the system. But probabilities are simpler
+(and better than the common ``anonymity set'' representation), so we
+use them for now.} In particular:
 
 \begin{itemize}
 \item  The number of users of the system is positively correlated to the
 level of anonymity of the system.
 
 \item  Acting as a node (which we represent as $a_{i}^{s}=1$, under the
-assumption that the honest node is interested in its own anonymity ) is
+assumption that the honest node is interested in its own anonymity) is
 strongly positively correlated to preserving the anonymity of one's
-information. For example, suppose that there are a thousand agents sending
+information. For example, suppose agents send
 messages at regular intervals (no more than one message per agent is sent to
 any incoming node at a time), that the probability of any node being
 compromised is $0.1$, and that messages pass through three nodes before
 exiting the network. Assume that routes are chosen at random unless the
-sender owns a node. In that case the sender uses his own node as the first
-one and chooses the next two at random. If an agent does not run a node,
-then the probality that he will by identified with certainty as the sender
+sender owns a node, in which case the sender uses his own node first
+and chooses the next two at random. If an agent does not run a node,
+the probability that he will by identified with certainty as the sender
 of a message that exits the mix network is $.001$. If an agent runs a mix
-node with firing threshold of $50$, then amongst messages leaving the mix
-net a passive adversary can with certainty reduce the anonymity set (the set
-of possible messages that might be the sender's) to no less than $50$. And
+node with batch threshold of $50$, then amongst messages leaving the mix-net
+a passive adversary can with certainty reduce the anonymity set (the set
+of possible messages that might be the sender's) only to $50$. And
 the probability of even doing that is the probability that all of the
-messages from the relevant mix batch pass only through bad nodes on the
-remaining two hops, i.e, $10^{-100}$. If we pessimistically equate the
+messages from the relevant batch pass only through bad nodes on the
+remaining two hops: $10^{-100}$. If we pessimistically equate the
 probability of guessing a message with the probability of identifying it
-with certainty, then the increase in anonymity acheived by running ones own
+with certainty, then the increase in anonymity achieved by running one's own
 node here is $2\times 10^{99}$.\footnote{%
 This example incorporates many simplifying assumptions, e.g., about patterns
 of sending messages and adversary passivity. Nonetheless, it should be clear
 that there is a large potential gain from running one's own node.}
 
-\item  The relation between the number of (other) nodes and the probability
-of remaining anonymous might not be monotonic. At parity of traffic,
-sensitive agents might want fewer nodes in order to maintain high anonymity
-sets. In particular, if no compromised (dishonest) nodes existed, then a
-smaller number of nodes should be preferred by everybody to a larger number
-of nodes. But if some nodes are dishonest, at parity of number of dishonest
-nodes users will face a trade-off between having more honest nodes (to
-increase the probability of having messages processed by them), and having
-less nodes (again not to make the anonymity sets get too small); in fact,
-those agents that act as nodes will have less desire for more nodes than the
-users who do not act as nodes. Hence the temptative relation that we
-consider is that the probability of remaining anonymous is inversely related
-to the number of honest nodes but positively related to the ratio
-honest/dishonest nodes. %[[is this too strong a statement?]]
+\item  The relation between the number of (other) nodes and the
+probability of remaining anonymous might not be monotonic. At parity of
+traffic, sensitive agents might want fewer nodes in order to maintain high
+anonymity sets. In particular, if no dishonest nodes exist, everybody
+should prefer a small number of nodes. But if some nodes are dishonest,
+users may prefer more honest nodes (to increase the chance that messages
+go through honest nodes). Agents that act as nodes may have less desire
+for more nodes than the users who do not act as nodes, because they want
+to maintain high anonymity sets at their particular node. Hence the
+probability of remaining anonymous is inversely related to the number
+of nodes but positively related to the ratio of honest/dishonest nodes.
 \end{itemize}
 
-If we assume that honest nodes will always deliver and forward the messages
-that go through them, the level of reliability in the system is then inverse
-function of the share of dishonest nodes in the system, $n_{d}/n_{h}$.
+If we assume that honest nodes always deliver messages that go through
+them, the level of reliability in the system is then an inverse function
+of the share of dishonest nodes in the system, $n_{d}/n_{h}$.
 
-\item  Benefits of acting as a node (e.g., nodes might be retributed for
+\item  Benefits of acting as a node (nodes might be retributed for
 forwarding traffic or for creating dummy traffic), $b_{h}$.
 
-\item  Benefits of acting as dishonest node (e.g., dishonest node might
-benefit from disrupting the service or might make use of the information
+\item  Benefits of acting as a dishonest node (dishonest node might
+benefit from disrupting service or might make use of the information
 that passes through them), $b_{d}$.
 \end{enumerate}
 
-As for the possible costs, they can be enumerated as follows:
+The possible costs can be enumerated as follows:
 
 \begin{enumerate}
 \item  Costs of using the system by:
@@ -363,15 +332,15 @@
 \item  sending messages:
 
 \begin{itemize}
-\item  through the mix-net system, $c_{s}$. This cost include both potential
-direct financial costs of usage of the system (e.g., usage fees), as well as
+\item  through the mix-net system, $c_{s}$. This cost includes both
+direct financial costs of using of the system (e.g., usage fees), as well as
 implicit costs such as the time needed to configure messages in order for
 them to be used in the system, or delays incurred when using the system.
 These delays should be positively correlated to the traffic $n_{s}$ and
 negatively correlated to the number of nodes $n_{h}$. In addition, when
 message delivery is guaranteed, a node might always choose a longer route to
 reduce risk. We could assign a higher $c_{s}$ to longer routes to reflect
-the cost, e.g., of additional delay;
+the cost of additional delay;
 
 \item  or through a conventional, non anonymous system, $c_{n}$;
 \end{itemize}
@@ -379,18 +348,11 @@
 \item  receiving dummy traffic, $c_{r}$.
 \end{itemize}
 
-\item  Costs of acting as honest node, $c_{h}$ by:
-
-\begin{itemize}
-\item  receiving and forwarding traffic,
-
-\item  creating dummy traffic,
-
-\item  being an exit node (which involves potential exposure to liabilities
-or abuses);
-\end{itemize}
+\item  Costs of acting as an honest node, $c_{h}$ by receiving and
+forwarding traffic, creating dummy traffic, and being an exit node
+(which involves potential exposure to liabilities or abuses);
 
-Here we note that there might be both fixed and variable costs of being a
+Here we note that there are both fixed and variable costs of being a
 node. The fixed costs are related to the investments necessary to setup the
 software. The variable costs are dominated by the costs of traffic passing
 through the node.
@@ -1063,7 +1025,7 @@
 This need to pigeonhole users into a few behavior classes conflicts with the
 fact that real-world users have different interests and different
 approaches. Heterogeneity in its users is what makes the Internet so lively
-and successful. Reducing options can lead to reducing usability, scaring
+and successful. Reducing options can lead to reduced usability, scaring
 away the users and leaving a useless anonymity system.
 
 % It remains to be seen whether designs and

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Date: [freehaven-cvs] general rewrite from alessandro
Next by Date: [freehaven-cvs] more cleanups
Prev by thread: [freehaven-cvs] general rewrite from alessandro
Next by thread: [freehaven-cvs] more cleanups
Index(es):
- Date
- Thread