[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-cvs] committing the first real draft

Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03

Modified Files:
	econymics.tex 
Added Files:
	econymics.pdf econymics.ps 
Log Message:
committing the first real draft


--- NEW FILE: econymics.pdf ---
%PDF-1.2
3 0 obj <<
/Length 4 0 R
/Filter /FlateDecode
>>
stream
xڍ˒67ȩaH=ى
xDУFkfؐABе1"|85
$S0f|m
edKl
3-o{O0E-P{$2v)8@zj/>]~KvW1lL p.0㭐PP`)8*oozBt]`lyӋ`?=݆uoJwUbޘ`oE&]dw'Ɗ
5&{W:88<kxμU*o\%kwե2Lء%Uo"%9K*+j]Dt[+7Eg+e
3q,b[ͨp@3XF! 熆'/?ofj)mYx"(!:F/E:o8
:]Rp3~gE9n^ ku{évM!iΆ!}]"jZI%Ix$G3/x-0Lc.Nmݭ{o4F!$XRpӝ`϶=184s0C*yC܃moG,9BPf5B6o.Y?ر!-	$$( ]8!VAoʱZp<r
~ʣg?k @"|̄))r#3MK
|Cr<,%({O}qb_H>de,5:Ò
KX!~65%LJ`
ẹ掋

Y;0P\
L`Ъ~kĥ|Q+}ƈ?[@g??ʸendstream
endobj
4 0 obj
2530
endobj
[...3207 lines suppressed...]
0000197698 00000 n 
0000198236 00000 n 
0000206771 00000 n 
0000206793 00000 n 
0000206815 00000 n 
0000206837 00000 n 
0000206858 00000 n 
0000206890 00000 n 
0000207505 00000 n 
0000207580 00000 n 
0000207633 00000 n 
trailer
<<
/Size 250
/Root 248 0 R
/Info 249 0 R
>>
startxref
207729
%%EOF

--- NEW FILE: econymics.ps ---
%!PS-Adobe-2.0
%%Creator: dvipsk 5.86 p1.5d Copyright 1996-2001 ASCII Corp.(www-ptex@ascii.co.jp)
%%based on dvipsk 5.86 Copyright 1999 Radical Eye Software (www.radicaleye.com)
%%Title: econymics.dvi
%%Pages: 18
%%PageOrder: Ascend
%%BoundingBox: 0 0 612 792
%%EndComments
%DVIPSWebPage: (www.radicaleye.com)
%DVIPSCommandLine: dvips -o econymics.ps econymics.dvi
%DVIPSParameters: dpi=600, compressed
%DVIPSSource:  TeX output 2002.09.16:0429
%%BeginProcSet: texc.pro
%!
/TeXDict 300 dict def TeXDict begin/N{def}def/B{bind def}N/S{exch}N/X{S
N}B/A{dup}B/TR{translate}N/isls false N/vsize 11 72 mul N/hsize 8.5 72
mul N/landplus90{false}def/@rigin{isls{[0 landplus90{1 -1}{-1 1}ifelse 0
0 0]concat}if 72 Resolution div 72 VResolution div neg scale isls{
landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div hsize
[...3198 lines suppressed...]
Fp(.) h(Springer) d(V) -6 b(erlag,) 27 b(LNCS) e(\(forthcoming\),) h
(2002.) 523 3097 y(20.) 43 b(Andrei) 22 b(Serjan) n(to) n(v,) i(Roger) g
(Dingledine,) g(and) f(P) n(aul) h(Syv) n(erson.) 30
b(F) -6 b(rom) 22 b(a) i(tric) n(kle) g(to) f(a) h(\015o) r(o) r(d:) 663
3188 y(Activ) n(e) d(attac) n(ks) h(on) g(sev) n(eral) g(mix) e(t) n
(yp) r(es.) 28 b(In) 21 b(F) -6 b(abien) 22 b(P) n(etitcolas,) h
(editor,) p Fa 23 w(Information) h(Hid-) 663 3279 y(ing,) f(5th) i
(International) g(Workshop) g(\(IH) f(2002\)) p Fp(.) f(Springer-V) -6
b(erlag,) 22 b(LNCS) g(\(forthcoming\),) 663 3371 y(2002.) 36
b(h) n(ttp://www.freeha) n(v) n(en.net/pap) r(ers.h) n(tml.) 523
3462 y(21.) 43 b(Bryce) 27 b(Wilco) n(x-O'Hearn.) 39
b(Exp) r(eriences) 27 b(Deplo) n(ying) h(a) f(Large-Scale) h(Emergen) n
(t) f(Net) n(w) n(ork.) 663 3553 y(In) p Fa 24 w(1st) g(International) h
(Pe) l(er) g(T) -6 b(o) 27 b(Pe) l(er) h(Systems) g(Workshop) g
(\(IPTPS) f(2002\)) p Fp(,) f(Marc) n(h) f(2002.) p Fs
1922 5173 a(18) p 90 rotate dyy eop
%%Trailer
end
userdict /end-hook known{end-hook}if
%%EOF

Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -d -r1.23 -r1.24
--- econymics.tex	16 Sep 2002 07:37:07 -0000	1.23
+++ econymics.tex	16 Sep 2002 08:29:53 -0000	1.24
@@ -85,10 +85,12 @@
 \begin{abstract}
 
 Decentralized anonymity infrastructures are still not in wide use today.
-Here we present some new insights about how to align incentives to
-create an economically workable system for both users and infrastructure
+We (the community) must figure out how to change our approaches and
+designs in order to build systems with a better chance of success. Here
+we present some new insights about how to align incentives to create
+an economically workable system for both users and infrastructure
 operators. We explore some reasons why anonymity systems are particularly
-hard to deploy, enumerate the incentives to participate just as senders
+hard to deploy, enumerate the incentives to participate either as senders
 or also as nodes, and build a general model to take into account these
 incentives. We then describe and justify some simplifying assumptions to
 make the model manageable, and compare optimal strategies for participants
@@ -140,7 +142,7 @@
 \ref{sec:roadblocks} describe some alternate approaches to incentives and
 problems we encounter in designing and deploying strong anonymity systems.
 
-\section{An Economics of Anonymity}
+\section{The Economics of Anonymity}
 \label{sec:overview}
 
 Single-hop web proxies like the Anonymizer can probably protect
@@ -207,7 +209,7 @@
 
 In this section and the following we formalize the economic analysis of why
 people might want to send messages through mix-nets. Here we discuss the
-incentives for the agents to participate just as senders or also as nodes,
+incentives for the agents to participate either as senders or also as nodes,
 and we start proposing a general framework for the analysis. In the next
 section we consider various applications of our framework.
 
@@ -801,7 +803,7 @@
 \label{sec:alternate-incentives}
 
 As the self-organized system might collapse under some of the conditions
-examined above, we discuss now what economic incentives are associated to
+examined above, we discuss now what economic incentives we can get from
 alternative mechanisms.
 
 \begin{enumerate}
@@ -822,7 +824,7 @@
 agents can lead them to agree on cooperation and punishments for breaching
 cooperation.
 
-\item  ``Special'' agent. Imagine having a ``special agent'' whose utility
+\item  ``Special'' agents. Imagine having a ``special agent'' whose utility
 function has been modified to consider the social value of having an
 anonymous system, or which is being paid for or supported to provide such
 service. The risks here are congestion and non-optimal use \cite
@@ -843,30 +845,30 @@
 the high sensitivity users will gravitate to safe mixes, causing
 more traffic, and improving their safety further (and lowering the safety
 of other nodes). Based on our model the system will stabilize with one
-or a few remailers. One reason it won't actually stabilize like this
-is because $p_a$ is influenced not just by $n_h$ but also by
-jurisdictional diversity --- a given high sensitivity sender is
-happier with a diverse set of mostly safe nodes than with a set of very
-safe nodes run in the same zone. Another reason it may not stabilize is
-that at some point latency will begin to suffer, and the low sensitivity
-users will go elsewhere, thus taking away the nice anonymity sets. (On
-the other hand, current Mixmaster use levels are nowhere near that point.)
+or a few remailers. One reason it won't stabilize in reality is because
+$p_a$ is influenced not just by $n_h$ but also by jurisdictional diversity
+--- a given high sensitivity sender is happier with a diverse set of
+mostly safe nodes than with a set of very safe nodes run in the same
+zone. Another reason it may not stabilize is that at some point latency
+will begin to suffer, and the low sensitivity users will go elsewhere,
+taking away the nice anonymity sets. (On the other hand, current Mixmaster
+use levels are nowhere near that point.)
 
 More generally, a mix that chooses a frequent batching time may get lots
 of messages from the low sensitivity people, and thus end up providing
 \emph{better} anonymity than one that fires only infrequently. Is a
 message from a high sensitivity sender ''better'' than a message from a
 low sensitivity sender? Certainly a dummy message which ends at a mix is
-''worse'' than an actual message that ends at an actual recipient.
+''worse'' than a message that ends at an actual recipient.
 
 \item Micropayments for service. Mojo Nation \cite{mojo} was a
 peer-to-peer design for robustly distributing resources (e.g. file
 sharing). It employed a digital cash system, called \emph{mojo}, to help
 protect against abuse of the system. In addition to the usual operations
 of publish and retrieve, users could also pay nodes to indirect traffic
-through them, both so they can participate in the system behind NATs
+through them, both so they can participate in the system from behind NATs
 and so they can gain some measure of anonymity. Participants in the
-system `pay' mojo to other participants when they ask for a service that
+system pay mojo to other participants in exchange for a service that
 uses resources. Thus Mojo Nation reduces the potential for damage from
 resource flooding attacks. Further, this credit and reputation system
 allows the interactions to be streamlined based on trust built up from
@@ -889,14 +891,14 @@
 
 \subsection{Pseudospoofing and dishonest nodes}
 
-Our discussions above indicate that it may in fact be plausible to build a
-strong anonymity infrastructure from a wide-spread group of independent
-nodes that each want good anonymity for their own purposes. In fact, the
-more jurisdictionally diverse this group of nodes, the more robust the
+Our discussions so far indicate that it may in fact be plausible to build
+a strong anonymity infrastructure from a wide-spread group of independent
+nodes that each want good anonymity for their own purposes. In fact,
+the more jurisdictionally diverse this group of nodes, the more robust the
 overall system.
 
 However, volunteers are problems: users don't know who they're dealing with.
-In this work we primarily focus on the strategic motivations of honest
+We have primarily focused on the strategic motivations of honest
 agents, but the motivations of dishonest agents are at least as important.
 An anonymity-breaking adversary with an adequate budget would do best to
 provide very good service, possibly also attempting DoS against other
@@ -904,7 +906,7 @@
 efficiency will help tell who the bad guys are in this instance. Further,
 who assigns those metrics and how? If they depend on a centralized trusted
 authority, the advantages of diffusion are lost. Another approach to
-breaking anonymity is to simply destroy the reliability (or maybe just the
+breaking anonymity is to simply attack the reliability (or maybe just the
 perceived reliability) of the system --- this attack flushes users to a
 weaker system just as military strikes against underground cables force the
 enemy to communicate over less secure channels.
@@ -948,7 +950,7 @@
 All things considered, it might be that the law of economics works
 against the attacker as well.
 
-A ``lazy'' node might be an agent who wants to protect
+A ``lazy'' node wants to protect
 her own anonymity, but keeps her costs lower by not forwarding or
 accepting all of her incoming traffic. By doing so this node decreases
 the reliability of the system. While this strategy might be sounder than
@@ -958,8 +960,8 @@
 own node, might actually reduce the anonymity of that agent.
 
 Surveys and analysis on actual attacks on actual systems (eg
-\cite{nymserver98}) can help us determine which forms of attacks are
-more frequent, how dangerous they are, and whether economic incentives
+\cite{nymserver98}) can help determine which forms of attacks are
+frequent, how dangerous they are, and whether economic incentives
 or technical answers are the best way to counter them.
 
 \subsection{Bootstrapping the system and perceived costs}
@@ -970,16 +972,16 @@
 all the players can somehow know each other and coordinate to start with
 one of the cooperative equilibria discussed above.
 
-As this might not be an often realistic scenario, we must discuss how a
+As this might not be a realistic scenario, we must discuss how a
 mix-net system with distributed trust can come to be. We face a paradox
-here --- agents with high privacy sensitivity want lots of traffic in
+here: agents with high privacy sensitivity want lots of traffic in
 order to feel secure using the system. They need many participants with
 lower privacy sensitivities using the system first. The problem lies in
-the fact that there's no reason to believe the lower sensitive types are
+the fact that there's no reason to believe the lower sensitivity types are
 more likely to be early adopters. In addition, their perceived costs of
 using the system might be higher than the real costs --- especially when
-the system is new and not well known --- that in the strategic decision
-process described above they will decide against using the mix-net at all.
+the system is new and not well known --- so in the strategic decision
+process they will decide against using the mix-net at all.
 Correct marketing seems critical to gaining critical mass in an anonymity
 system: in hindsight, perhaps Zero-Knowledge Systems would have gotten
 farther had it emphasized usability rather than security.
@@ -1035,7 +1037,7 @@
 
 \begin{itemize}
 \item  Dummy traffic. Dummy traffic increases costs but it also increases
-anonymity. In this extensio we plan to study bilateral or multilateral
+anonymity. In this extension we should study bilateral or multilateral
 contracts between agents, forcing contractually each agent to send to
 another agent(s) a certain number of messages in each period. With these
 contracts, if the sending agent has not enough real messages going through
@@ -1046,13 +1048,13 @@
 the model.
 
 \item  Strategic dishonest nodes. We have discussed above that it is
-probably more economically sound for an agent to be a lazy node rather than
+probably more economically sound for an agent to be a lazy node than
 an anonymity-attacking node. Assuming that strategic bad nodes can exist, we
 should study the incentives to act honestly or dishonestly and the effect
 on reliability and anonymity.
 
 \item  Unknown agent types. We should extend the above scenarios further
-to consider probability distribution for an agent's guess about another
+to consider a probability distribution for an agent's guess about another
 agent's privacy sensitivity.
 
 \item  Comparison between systems. We should compare mix-net systems to

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/