[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-cvs] separated pseudospoofing sec from dishonest nodes sec

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] separated pseudospoofing sec from dishonest nodes sec
From: arma@seul.org (Roger Dingledine)
Date: Mon, 16 Sep 2002 22:50:52 -0400 (EDT)
Delivered-To: archiver@seul.org
Delivered-To: freehaven-cvs-outgoing@seul.org
Delivered-To: freehaven-cvs@seul.org
Delivery-Date: Mon, 16 Sep 2002 22:50:53 -0400
Reply-To: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net

Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03

Modified Files:
	econymics.tex 
Log Message:
separated pseudospoofing sec from dishonest nodes sec


Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -d -r1.36 -r1.37
--- econymics.tex	17 Sep 2002 02:37:55 -0000	1.36
+++ econymics.tex	17 Sep 2002 02:50:49 -0000	1.37
@@ -671,7 +671,7 @@
 \end{equation*}
 As before, each agent has a trade-off between the cost of traffic and the
 benefit of traffic when being a node, and a trade-off between having more
-nodes and less nodes. In addition to the previous analysis, now the final
+nodes and fewer nodes. In addition to the previous analysis, now the final
 outcome also depends on how much each agent knows about whether the
 other is honest, and how much she knows about the other agent's
 sensitivity to privacy.
@@ -901,9 +901,7 @@
 
 \label{sec:roadblocks}
 
-%\subsection{Authentication in a volunteer economy}
-
-\subsection{Pseudospoofing and dishonest nodes}
+\subsection{Authentication in a volunteer economy}
 
 Our discussions so far indicate that it may in fact be plausible to build a
 strong anonymity infrastructure from a wide-spread group of independent
@@ -911,23 +909,13 @@
 more jurisdictionally diverse this group of nodes, the more robust the
 overall system.
 
-However, volunteers are problems: users don't know whom they're dealing with.
-We have primarily focused on the strategic motivations of honest agents, but
-the motivations of dishonest agents are at least as important. An
-anonymity-breaking adversary with an adequate budget would do best to
-provide very good service, possibly also attempting DoS against other
-high-quality providers. None of the usual metrics of performance and
-efficiency will help tell who the bad guys are in this instance. Further,
-who assigns those metrics and how? If they depend on a centralized trusted
-authority, the advantages of diffusion are lost. Another approach to
-breaking anonymity is to simply attack the reliability (or maybe just the
-perceived reliability) of the system --- this attack flushes users to a
-weaker system just as military strikes against underground cables force the
-enemy to communicate over less secure channels.
-
-It is possible to structure system protocols to create better incentives for
-honest principals and to catch bad performance by others \cite
-{mix-acc,casc-rep}. But even when this is feasible, identifying individuals
+However, volunteers are problems: users don't know the node operators,
+and don't know whether they can trust them. We can structure system
+protocols to create better incentives for honest principals and to catch
+bad performance by others, e.g. by incorporating receipts and trusted
+witnesses \cite{mix-acc}, or using a self-regulating topology based on
+verifying reliability \cite{casc-rep}. But even when this is feasible,
+identifying individuals
 is a problem. Classic authentication considers whether it's the right
 entity, but not whether the authenticated parties are distinct from one
 another. One person may create and control several distinct online
@@ -941,7 +929,20 @@
 Another potential solution, a global PKI to ensure unique identities, is
 unlikely to emerge any time soon.
 
-\subsubsection{Why lazy nodes are more likely than dishonest nodes.}
+\subsection{Dishonest nodes vs lazy nodes}
+
+We have primarily focused on the strategic motivations of honest agents,
+but the motivations of dishonest agents are at least as important. An
+anonymity-breaking adversary with an adequate budget would do best to
+provide very good service, possibly also attempting DoS against other
+high-quality providers. None of the usual metrics of performance and
+efficiency can identify dishonest nodes. Further, who calculates those
+metrics and how? If they depend on a centralized trusted
+authority, the advantages of diffusion are lost. Another approach to
+breaking anonymity is to simply attack the reliability or
+perceived reliability of the system --- this attack flushes users
+to a weaker system just as military strikes against underground cables
+force the enemy to communicate over less secure channels.
 
 On the other hand, when we consider strategic dishonest nodes we must also
 analyze their motivations as rational agents. A flat-out dishonest agent

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/

Prev by Date: [freehaven-cvs] margin games and patches. we"re a good length now.
Next by Date: [freehaven-cvs] err...fixed a typo in the abstract :)
Prev by thread: [freehaven-cvs] margin games and patches. we"re a good length now.
Next by thread: [freehaven-cvs] err...fixed a typo in the abstract :)
Index(es):
- Date
- Thread