[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] more cleanup, particularly Section 7

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] more cleanup, particularly Section 7
From: arma@seul.org (Roger Dingledine)
Date: Mon, 16 Sep 2002 01:13:09 -0400 (EDT)
Delivered-To: archiver@seul.org
Delivered-To: freehaven-cvs-outgoing@seul.org
Delivered-To: freehaven-cvs@seul.org
Delivery-Date: Mon, 16 Sep 2002 01:13:09 -0400
Reply-To: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03

Modified Files:
	econymics.tex 
Log Message:
more cleanup, particularly Section 7


Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -d -r1.19 -r1.20
--- econymics.tex	16 Sep 2002 04:50:08 -0000	1.19
+++ econymics.tex	16 Sep 2002 05:13:07 -0000	1.20
@@ -80,7 +80,6 @@
 \email{(syverson@itd.nrl.navy.mil)}}
 
 \maketitle
-%\pagestyle{myheadings} \markboth{Towards an Econymics, Draft \today}{Towards an Econymics, Draft \today}
 \pagestyle{plain}
 
 \begin{abstract}
@@ -334,13 +333,15 @@
 \begin{itemize}
 \item  through the mix-net system, $c_{s}$. This cost includes both direct
 financial costs such as usage fees, as well as implicit costs such as the
-time to build an anonymous message, learning curve to get familiar with the
-system, and delays incurred when using the system. These delays should be
-positively correlated to the traffic $n_{s}$ and negatively correlated to
-the number of nodes $n_{h}$. % FIXME is this right? -RD
-In addition, when message delivery is guaranteed, a node might always choose
-a longer route to reduce risk. We could assign a higher $c_{s}$ to longer
-routes to reflect the cost of additional delay.
+time to build an anonymous message, learning curve to get familiar with
+the system, and delays incurred when using the system. At first these
+delays seem positively correlated to the traffic $n_{s}$ and negatively
+correlated to the number of nodes $n_{h}$. But counterintuitively, more
+messages per node might instead \emph{decrease} latency because nodes can
+process batches more often; see Section \ref{sec:alternate-incentives}. In
+addition, when message delivery is guaranteed, a node might always
+choose a longer route to reduce risk. We could assign a higher $c_{s}$
+to longer routes to reflect the cost of additional delay.
 
 \item  or through a conventional non-anonymous system, $c_{n}$.
 
@@ -408,12 +409,9 @@
 c_{n}$.} Note that $\gamma $ and $\partial$ describe the probability of a
 message being delivered and a message remaining anonymous, respectively.
 These probabilities are weighted with the values $v_{r,a}$ because different
-agents might value anonymity and reliability differently,%\footnote{%
-%In other words, even if agents agree on metrics for reliability and
-%anonymity, some might care more about anonymity than
-%reliability, some vice versa.}
-and because in different scenarios anonymity and reliability for the same
-agent might have different impacts on her payoff.
+agents might value anonymity and reliability differently, and because in
+different scenarios anonymity and reliability for the same agent might
+have different impacts on her payoff.
 
 While messages might be sent anonymously to avoid costs or to gain profits,
 the costs and benefits from sending the message might be distinct from the
@@ -507,14 +505,14 @@
 participants, plus the fact that earlier actions indicate only a weak
 commitment to future actions, 
 % did my changes just make this statement incorrect?
-suggest against using a sequential approach \textit{a la } Stackleberg. 
-%cite?
+suggest against using a sequential approach \textit{a la} Stackleberg. 
+[cite]
 With a large group size there might be no discernable nor agreeable order
 for the actions of all participants, so actions can be considered
 simultaneous. The limited commitment produced by earlier actions allow us to
 consider a repeated-game scenario. We also imagine that the need to send a
 message at each period is high enough that a ``war of attrition'' framework
-is not applicable.
+is not applicable. [explain war of attrition]
 
 \subsection{Adversary}
 
@@ -527,14 +525,12 @@
 choosing strategies agents will attach a subjective probability to arbitrary
 nodes being compromised --- all nodes not run by the agent are assigned the
 same probability of being compromised. This factor influences their
-assessment of the anonymity of messages they send. For our purposes, it will
-not matter whether the set of compromised nodes is static or dynamic (as in 
-\cite{syverson_2000}). A purely passive adversary is unrealistic in most
-settings, e.g., it assumes that hostile users never selectively send
-messages at certain times or routes, and nodes and links never selectively
-trickle or flood messages \cite{trickle02}. Nonetheless, a \emph{global}
-passive adversary is still quite strong, and thus a typical starting point
-of anonymity analyses.
+assessment of the anonymity of messages they send. A purely passive
+adversary is unrealistic in most settings, e.g., it assumes that
+hostile users never selectively send messages at certain times or
+routes, and nodes and links never selectively trickle or flood messages
+\cite{trickle02}. Nonetheless, a \emph{global} passive adversary is still
+quite strong, and thus a typical starting point of anonymity analyses.
 
 \subsection{Honest agents}
 
@@ -581,10 +577,7 @@
 there are $n_{s}$ agents sending messages over $n_{h}$ and $n_{d}$ nodes,
 and sending messages through a non-anonymous system, respectively. Each
 period, the rational agent can compare the disutility coming from each of
-these three one-period strategies. %: only send her own
-%messages through the mix-net, $a_{s}$; or send her messages but also act as
-%node forwarding other users' messages, $a_{h}$; or send a message without
-%using the mix-net, $a_{n}$.
+these three one-period strategies.
 
 \begin{equation*}
 \begin{tabular}{cc}
@@ -670,14 +663,15 @@
 (like \cite{Serj02,Diaz02}) do not directly translate into monotonic
 probability functions of the type traditionally used in game theory.
 Furthermore, the actual level of anonymity will depend on the mix-net
-protocol and topology (cascades will provide larger anonymity sets at each
-node than free-route networks). Nevertheless we can highlight the economic
-rationale implicit in the above equation. In the first comparison agent $i$
-is comparing her contribution to her own anonymity by acting as a node to
+protocol and topology (cascade-based or synchronous networks will provide
+larger anonymity sets than asynchronous networks where traffic is divided
+among the nodes). Nevertheless we can highlight the economic rationale
+implicit in the above equation. In the first comparison agent $i$ is
+comparing her contribution to her own anonymity by acting as a node to
 the costs of doing so. Acting as a node dramatically increases anonymity,
-but it will also bring more traffic-related costs to the agent. Agents with
-high privacy sensitivity (high $v_{i}$) will be obviously keener in
-accepting the trade-off and becoming nodes.
+but it will also bring more traffic-related costs to the agent. Agents
+with high privacy sensitivity (high $v_{i}$) will be obviously keener
+in accepting the trade-off and becoming nodes.
 
 \subsubsection{Strategic Agents: Simple Case}
 
@@ -803,7 +797,6 @@
 mechanisms that can make mix-net systems economically viable in the next
 section.
 
-
 \section{Alternate incentive mechanisms}
 \label{sec:alternate-incentives}
 
@@ -812,12 +805,12 @@
 alternative mechanisms.
 
 \begin{enumerate}
-\item  Usage fee. Imagine a scenario where each participatant in the
+\item  Usage fee. Imagine a scenario where each participant in the
 system has to pay. The public good with free-riding problem discussed
 above turns into a ``clubs'' scenario. Participating agents can elaborate
 a pricing mechanism related to how much they expect to use the system or
 how sensitive they are (which involves mechanism design and revelation
-mechanism). The Anonymizer offers
+mechanism [explain]). The Anonymizer offers
 basic service at low costs to low sensitivity types (there is a
 cost in the delay and the hassles of using the free service), and offers
 better service for money. With usage fees, the cost of being a node
@@ -835,10 +828,10 @@
 service. The risks here are congestion and non-optimal use \cite
 {mackiemason-varian-95}.
 
-\item Public rankings and reputation. The incentives regarding
-reputation can come in the form of wanting a higher reputation to get
-more cover traffic, but also as one of the rewards for the ``special
-agents'' above. Just as the stats pages for seti@home \cite{seti-stats}
+\item Public rankings and reputation. The incentives regarding reputation
+can come in the form of wanting a higher reputation to get more cover
+traffic, but also as one of the rewards for the ``special agents''
+above. Just as the statistics pages for seti@home \cite{seti-stats}
 encourage more participation, publically quantifying and ranking
 generosity creates an incentive to participate. The incentives of public
 recognition and wanting to donate service for the public good are very
@@ -942,8 +935,8 @@
 and maintaining a position from which those attacks are effective ---
 which will probably involve gaining reputation and acting as a node for
 an extended period of time. Such adversaries will be in an arms race with
-protocol developers \cite{casc-rep} to stay undetected while performing
-their attacks. The benefits from successful attacks might be financial,
+protocol developers to stay undetected despite their attacks
+\cite{casc-rep}. The benefits from successful attacks might be financial,
 as in the case of discovering and using sensitive information, or a
 competitor's service being disrupted; or they could be purely related
 to personal satisfaction. The costs following being discovered as a
@@ -987,6 +980,9 @@
 using the system might be higher than the real costs --- especially when
 the system is new and not well known --- that in the strategic decision
 process described above they will decide against using the mix-net at all.
+Correct marketing seems critical to gaining critical mass in an anonymity
+system: in hindsight, perhaps Zero-Knowledge Systems would have gotten
+farther had it emphasized usability rather than security.
 
 %Note in this case that the choice of agents with lower privacy sensitivity
 %between different anonymous systems with different levels of anonymity (and
@@ -1033,7 +1029,7 @@
 \section{Future Work}
 
 We have described a basic model for characterizing and analyzing the various
-incentives that participants have to act either as senders or as nodes in
+incentives for participants to act either as senders or as nodes in
 strong anonymity infrastructures. There are a number of directions for
 future research:
 
@@ -1046,31 +1042,32 @@
 its node, it will have to generate them as dummy traffic in order not to pay
 a penalty.
 
+\item  Reliability. Related to the above, we should add reliability issues to
+the model.
+
 \item  Strategic dishonest nodes. We have discussed above that it is
 probably more economically sound for an agent to be a lazy node rather than
-a anonymity-attacking node. Assuming that strategic bad nodes can exist, we
-plan to study the incentives to act honestly or dishonestly and the effect
+an anonymity-attacking node. Assuming that strategic bad nodes can exist, we
+should study the incentives to act honestly or dishonestly and the effect
 on reliability and anonymity.
 
-\item  Reliability. Related to the above, we plan to further the study of
-reliabiliy issues in the model.
-
-\item  Unknow agent types. We extend the above scenarios further to consider
-probability distribution of an agent about another agent's type.
+\item  Unknown agent types. We should extend the above scenarios further
+to consider probability distribution for an agent's guess about another
+agent's privacy sensitivity.
 
-\item  Comparison between systems. We plan to compare mix-net systems to
-other systems, as well as to use the above framework to compare the adoption
+\item  Comparison between systems. We should compare mix-net systems to
+other systems, as well as use the above framework to compare the adoption
 of systems with different characteristics.
 
-\item  Exit nodes. We want to extend the above analysis to consider specific
-costs such as the potential costs associated to acting as an exit node.
+\item  Exit nodes. We should extend the above analysis to consider specific
+costs such as the potential costs associated with acting as an exit node.
 
 \item  Reputation. Reputation can have a powerful impact on the framework
-above in that it violates the assumption that traffic will distribute
-uniformly across nodes. We plan to study formally this extension on the
-lines described above.
+above in that it changes the assumption that traffic will distribute
+uniformly across nodes. We should study this extension more formally
+along the lines described above.
 
-\item  Information theoretic metric. We plan to extend the analysis of
+\item  Information theoretic metric. We should extend the analysis of
 information theoretic metrics in order to formalize the functional forms in
 the agent payoff function.
 \end{itemize}
@@ -1082,3 +1079,4 @@
 \bibliography{econymics}
 
 \end{document}
+

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Date: [freehaven-cvs] fixing up the tables so they"re legible
Next by Date: [freehaven-cvs] cleanup up through section 3
Prev by thread: [freehaven-cvs] fixing up the tables so they"re legible
Next by thread: [freehaven-cvs] cleanup up through section 3
Index(es):
- Date
- Thread