[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] more patches to section 4
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03
Modified Files:
econymics.tex
Log Message:
more patches to section 4
(i'm going to leave section 4 to alessandro for now, so he can
keep working on the more complex parts)
Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -d -r1.15 -r1.16
--- econymics.tex 15 Sep 2002 21:10:46 -0000 1.15
+++ econymics.tex 15 Sep 2002 21:58:00 -0000 1.16
@@ -346,6 +346,9 @@
the cost of additional delay.
\item or through a conventional non-anonymous system, $c_{n}$.
+
+(Perception of the delay caused by using the mix-net system can be
+reflected in the difference of $c_{s}$ and $c_{n}$.)
\end{itemize}
\item receiving dummy traffic, $c_{r}$.
@@ -519,35 +522,31 @@
\cite{trickle02}. Nonetheless, a \emph{global} passive adversary is still
quite strong, and thus a typical starting point of anonymity analyses.
-\subsection{(Honest) Agents}
+\subsection{Honest agents}
If a user only sends her messages, the cost of using the anonymous service
-is $c_{s}$. This cost might be higher than using the non anonymous channel, $%
-c_{n}$, because of usage fees, usage hassles, or delays.\footnote{%
-Even if all messages are assumed to arrive, they may take much longer to
-arrive through the anonymity system than if sent without it. Perception of
-this can be reflected in the difference of $c_{s}$ and $c_{n}$. See also
-previous Section.} To keep things simple, we assume that all messages pass
+is $c_{s}$. This cost might be higher than using the non anonymous channel,
+$c_{n}$, because of usage fees, usage hassles, or delays.
+To keep things simple, we assume that all messages pass
through the mix-net system in fixed length free routes, so that we can write
$c_{s}$ as a fixed value, the same for all agents. Users send messages at
the same time, and only one message at a time. We also assume that routes
-are chosen randomly by uses, so that traffic is uniformly distributed among
+are chosen randomly by users, so that traffic is uniformly distributed among
the nodes. If a user decides to be a node, costs increase with the traffic,
as described in the Section above. For nodes we concentrate on the
-traffic-based variable costs. Given that there are no actively bad nodes
-(and assuming that the only possible failures are hostile ones), reliability
+traffic-based variable costs. Given that there are no active bad nodes
+(our adversary is restricted to watching messages), reliability
is deterministically complete ($p_{r}=1$). We also assume that all agents
know the number of agents using the system and the number of them acting as
nodes, and that each specific agent's actions are observable. Furthermore,
we initially assume that the type of an agent is publicly known (i.e. a high
sensitivity type cannot pretend to be a low type). We later relax this
-assumption. As already noted, we also assume that all agents perceive the
-level of anonymity in the system - given its traffic and its number of nodes
-- the same way, and that they value anonymity. Further, we imagine that both
+assumption. We also assume that all agents perceive the
+level of anonymity in the system (based on traffic and number of nodes)
+the same way. Further, we imagine that both
agent types use the system because they want to avoid potential losses from
not being anonymous. This sensitivity to anonymity can be represented with
-the variable $v_{i}$, that we treat as uniformly distributed in $\left[ 0,1%
-\right] $.
+the variable $v_{i}$, which we treat as uniformly distributed between 0 and 1.
These assumptions let us reformulate the framework above in a simpler way.
The utility function can be re-written as:
@@ -557,8 +556,8 @@
-c_{s}a_{i}^{s}-c_{h}\left( n_{s},n_{h},n_{d}\right) a_{i}^{h}-c_{n}
\end{equation*}
-The above function reads in the following way: each agent $i$ tries to
-\textit{minimize} the costs of sending messages and the risk of them being
+This function reads as follows: each agent $i$ tries to
+\textit{minimize} the costs of sending messages and the risk of being
tracked. $1-p_{a}\left( n_{s},n_{h},n_{d},a_{i}^{h}\right) $ is the
probability that the anonymity will be lost given the number of agents
sending messages, the number of them acting as honest and dishonest nodes,
@@ -566,13 +565,15 @@
derives from its message being exposed, assumed to be a continuous variable $%
v_{i}=\left[ \text{\b{v}},\bar{v}\right] $. $c_{s},c_{h}\left(
n_{s},n_{h}\right) ,$ and $c_{n}$ are the costs of sending a message through
-the mix-net system, acting as node when there are $n_{s}$ agents sending
-messages over $n_{h}$ and $n_{d}$ nodes, and sending messages through a non
-anonymous system, respectively. Each period, the rational agent can compare
-the disutility coming from three one-period strategies: only send her own
-messages through the mix-net, $a_{s}$; or send her messages but also act as
-node forwarding other users' messages, $a_{h}$; or send a message without
-using the mix-net, $a_{n}$.
+the mix-net system, acting as a node when there are $n_{s}$ agents sending
+messages over $n_{h}$ and $n_{d}$ nodes, and sending messages through
+a non-anonymous system, respectively. Each period, the rational agent
+can compare
+the disutility coming from each of these three one-period strategies.
+%: only send her own
+%messages through the mix-net, $a_{s}$; or send her messages but also act as
+%node forwarding other users' messages, $a_{h}$; or send a message without
+%using the mix-net, $a_{n}$.
\begin{equation*}
\begin{tabular}{cc}
@@ -585,9 +586,10 @@
\end{tabular}
\end{equation*}
-Note that we do not\ explicitly allow the agent to choose \textit{not} to
-send a message at all, which would of course mimize the risk of anonymity
-compromise. Rather, she can only choose amongst the three given actions. We
+We do not explicitly allow the agent to choose \textit{not} to
+send a message at all, which would of course minimize the risk of anonymity
+compromise. %Rather, she can only choose amongst the three given actions.
+Also, we
do not explicitly report the value of sending a successful message. Both are
simplifications that do not alter the rest of the analysis. We could in fact
have inserted an action $a^{0}$ with a certain disutility from not sending
@@ -596,12 +598,12 @@
utility of sending a succesful message compared to not sending it (which
could be interpreted also as an opportunity cost), and solve the dual
problem of maximizing the expected utility. Either way, the ``exit''
-strategy for each agent will either be sending a message non anonymously, or
+strategy for each agent will either be sending a message non-anonymously, or
not sending it at all, depending on which option maximizes the expected
benefits or minimizes the expected losses. Thereafter, we can simply compare
the two other actions (being a user, or being also a node) to the locally
optimal exit strategy.\footnote{%
-For example, sending an anonymous message might so expensive, and sending it
+For example, sending an anonymous message might be so expensive, and sending it
through a non anonymous channel so potentially costly, that the user might
prefer not to send a message at all. We discuss again some more general
issues related to this point in one of the later sections [[add reference
@@ -613,10 +615,10 @@
\subsubsection{Myopic Agents}
Myopic agents do not take into consideration the strategic consequences of
-their action. They simply consider the status of the network and, depending
-on the payoffs of the one-period game, adopt a certain strategy. Imagine
-that the system is already in function. A new agent with a privacy
-sensitivity $v_{i}$ is considering to use a mix-net where currently $n_{s}=%
+their actions. They simply consider the status of the network and, depending
+on the payoffs of the one-period game, adopt a certain strategy.
+Imagine a new agent with a privacy
+sensitivity $v_{i}$ is considering using a mix-net where currently $n_{s}=%
\bar{n}_{s}$ and $n_{h}=\bar{n}_{h}$, that is, there are already $\bar{n}_{s}
$ users and $\bar{n}_{h}$ nodes.
@@ -633,20 +635,19 @@
$ $-v_{i}\left( 1-p_{a}\left( \bar{n}_{s}+1,\bar{n}_{h},n_{d}\right) \right)
-c_{s}$ and $-v_{i}\left( 1-p_{a}\left( \bar{n}_{s}+1,\bar{n}%
_{h},n_{d}\right) \right) -c_{s}<-v_{i}-c_{n}$ then agent $i$ will choose to
-be an user of the system. Otherwise, $i$ will simply not use the system
+be a user of the system. Otherwise, $i$ will simply not use the system.
Of course, for a formal solution we need an explicit functional form of the
-probability function. We have seen above, however, that privacy metric (like
+probability function. We have seen above, however, that privacy metrics (like
\cite{Serj02,Diaz02}) do not directly translate into monotonic probability
functions of the type traditionally used in game theory. Furthermore, the
-actual level of anonymity will depend on the specific structure of the nodes%
-\footnote{%
-For example, whether they are arranged as a cascade-mix or not.} and they
-way they are used by the participants. Nevertheless we can highlight the
-economic rationale implicit in the above disequation. In the first
+actual level of anonymity will depend on the mix-net protocol and topology
+(cascades will provide larger anonymity sets at each node than free-route
+networks). Nevertheless we can highlight the
+economic rationale implicit in the above equation. In the first
comparison agent $i$ is comparing her contribution to her own anonymity by
acting as a node to the costs of doing so. Acting as a node dramatically
-increases anonymity (see above \ref{sec:model}), but it will also bring more
+increases anonymity, but it will also bring more
traffic-related costs to the agent. Agents with high privacy sensitivity
(high $v_{i}$) will be obviously keener in accepting the trade-off and
becoming nodes.
@@ -656,7 +657,7 @@
Strategic agents take into consideration the fact that their action will
trigger responses by the other agents in the system.
-We start from a simplified scenario where we consider only one-one-one
+We start from a simplified scenario where we consider only one-on-one
interactions. The interactions we have in mix-net systems obviously involve
a much larger number of players, but the following analysis can give us a
taste of the issues to be considered when strategic agents are interacting.
@@ -762,10 +763,10 @@
side, they might not want too much free-riding if this involves too high
traffic costs. This latter point however must be specified: high privacy
sensitive types, at parity of traffic, prefer to be a node (because
-anonymity and reliability will increase) and prefer to work in system with
+anonymity and reliability will increase) and prefer to work in systems with
fewer nodes (otherwise traffic gets too dispersed and the anonymity sets get
too small). So, if $-v_{L}-c_{n}$ is particularly high, i.e. if the cost of
-non having anonymity is very high for each H type, then each H type might
+not having anonymity is very high for each H type, then each H type might
tend to act as node regardless of what the others do [[extend on this]].
Also, if there are enough low types, again an high type might have an
interest in acting alone is its costs of non having anonymity would be too
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/