[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] some more tweaks on the paper
Update of /home2/or/cvsroot/tor/doc/design-paper
In directory moria.mit.edu:/home2/arma/work/onion/cvs/tor/doc/design-paper
Modified Files:
challenges.pdf challenges.tex
Log Message:
some more tweaks on the paper
Index: challenges.pdf
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/design-paper/challenges.pdf,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
Binary files /tmp/cvsucEJ43 and /tmp/cvs6D2N61 differ
Index: challenges.tex
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/design-paper/challenges.tex,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -d -r1.71 -r1.72
--- challenges.tex 9 Feb 2005 17:42:21 -0000 1.71
+++ challenges.tex 10 Feb 2005 06:20:18 -0000 1.72
@@ -563,7 +563,7 @@
running nodes, but
from the information they have provided, it seems that many of them run Tor
nodes for reasons of personal interest in privacy issues. It is possible
-that others are running Tor nodes for the protection of their own
+that others are running Tor nodes to protect their own
anonymity, but of course they are
hardly likely to tell us specifics if they are.
%Significantly, Tor's threat model changes the anonymity incentives for running
@@ -603,7 +603,8 @@
interesting policy implications, however; see
the next section below.
Exit policies help to limit administrative costs by limiting the frequency of
-abuse complaints. (See Section~\ref{subsec:tor-and-blacklists}.)
+abuse complaints (see Section~\ref{subsec:tor-and-blacklists}). We discuss
+technical incentive mechanisms in Section~\ref{subsec:incentives-by-design}.
%[XXXX say more. Why else would you run a node? What else can we do/do we
% already do to make running a node more attractive?]
@@ -1114,7 +1115,7 @@
a variety of challenges. One of these is that they need to find enough
exit nodes---servers on the `free' side that are willing to relay
traffic from users to their final destinations. Anonymizing
-networks incorporating Tor are well-suited to this task since we have
+networks like Tor are well-suited to this task since we have
already gathered a set of exit nodes that are willing to tolerate some
political heat.
@@ -1152,11 +1153,11 @@
Tor is running today with hundreds of nodes and tens of thousands of
users, but it will certainly not scale to millions.
Scaling Tor involves four main challenges. First, to get a
-large initial set of nodes, we must address incentives for
+large set of nodes, we must address incentives for
users to carry traffic for others. Next is safe node discovery, both
while bootstrapping (Tor clients must robustly find an initial
-node list) and later (Tor client must learn about a fair sample
-of honest nodes and not let the adversary control his circuits).
+node list) and later (Tor clients must learn about a fair sample
+of honest nodes and not let the adversary control circuits).
We must also detect and handle node speed and reliability as the network
becomes increasingly heterogeneous: since the speed and reliability
of a circuit is limited by its worst link, we must learn to track and
@@ -1164,6 +1165,7 @@
the network can connect to all other points.
\subsection{Incentives by Design}
+\label{subsec:incentives-by-design}
There are three behaviors we need to encourage for each Tor node: relaying
traffic; providing good throughput and reliability while doing it;
@@ -1202,12 +1204,12 @@
Unfortunately, such an approach introduces new anonymity problems.
There are many surprising ways for nodes to game the incentive and
-reputation system to undermine anonymity because such systems are
-designed to encourage fairness in storage or bandwidth usage not
+reputation system to undermine anonymity---such systems are typically
+designed to encourage fairness in storage or bandwidth usage, not
fairness of provided anonymity. An adversary can attract more traffic
-by performing well or can provide targeted differential performance to
-individual users to undermine their anonymity. Typically a user who
-chooses evenly from all options is most resistant to an adversary
+by performing well or can target individual users by selectively
+performing, to undermine their anonymity. Typically a user who
+chooses evenly from all nodes is most resistant to an adversary
targeting him, but that approach hampers the efficient use
of heterogeneous nodes.