[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] Added (Pre-proceedings Draft) to the title. Reworded...
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.mit.edu:/tmp/cvs-serv16925
Modified Files:
econymics.bib econymics.ps econymics.tex
Log Message:
Added (Pre-proceedings Draft) to the title. Reworded several paragraphs
and bib entries to shorten them by a line to compensate. A few other small
changes. Added a reference.
Index: econymics.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.bib,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -d -r1.13 -r1.14
--- econymics.bib 15 Dec 2002 09:02:44 -0000 1.13
+++ econymics.bib 16 Dec 2002 21:24:14 -0000 1.14
@@ -15,7 +15,7 @@
@InProceedings{back01,
author = {Adam Back and Ulf M\"oller and Anton Stiglic},
title = {Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems},
- booktitle = {Information Hiding, 4th International Workshop (IH 2001)},
+ booktitle = {Information Hiding (IH 2001)},
pages = {245--257},
year = 2001,
editor = {Ira S. Moskowitz},
@@ -53,10 +53,10 @@
Hopwood and David Molnar},
title = {{A Reputation System to Increase MIX-net
Reliability}},
- booktitle = {Information Hiding, 4th International Workshop (IH 2001)},
+ booktitle = {Information Hiding (IH 2001)},
pages = {126--141},
year = 2001,
- editor = {Ira Moskowitz},
+ editor = {Ira S. Moskowitz},
publisher = {Springer-Verlag, LNCS 2137},
note = {\url{http://www.freehaven.net/papers.html}},
}
@@ -167,7 +167,7 @@
author = {Andrei Serjantov and Roger Dingledine and Paul Syverson},
title = {From a Trickle to a Flood: Active Attacks on Several
Mix Types},
- booktitle = {Information Hiding, 5th International Workshop (IH 2002)},
+ booktitle = {Information Hiding (IH 2002)},
year = 2002,
editor = {Fabien Petitcolas},
publisher = {Springer-Verlag, LNCS (forthcoming)},
@@ -223,3 +223,14 @@
publisher = {Springer Verlag, LNCS 2009},
note = {\url{http://citeseer.nj.nec.com/syverson00towards.html}}
}
+
+@InProceedings{gup,
+ author = {Stuart G. Stubblebine and Paul F. Syverson},
+ title = {Authentic Attributes with Fine-Grained Anonymity Protection},
+ booktitle = {Financial Cryptography (FC 2000)},
+ pages = {276--294},
+ year = 2001,
+ editor = {Yair Frankel},
+ publisher = {Springer-Verlag, LNCS 1962}
+}
+
Index: econymics.ps
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.ps,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- econymics.ps 13 Dec 2002 22:00:54 -0000 1.5
+++ econymics.ps 16 Dec 2002 21:24:14 -0000 1.6
@@ -8,7 +8,7 @@
%%EndComments
%DVIPSCommandLine: dvips econymics.dvi -o econymics.ps
%DVIPSParameters: dpi=600, comments removed
-%DVIPSSource: TeX output 2002.12.12:1802
+%DVIPSSource: TeX output 2002.12.16:1619
%%BeginProcSet: tex.pro
/TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N
/X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72
@@ -58,7 +58,7 @@
a}B /bos{/SS save N}B /eos{SS restore}B end
%%EndProcSet
[...6079 lines suppressed...]
+4101 y(anon)n(ymit)n(y)-6 b(.)47 b(In)30 b(Roger)h(Dingledine)g(and)g
+(P)n(aul)g(Syv)n(erson,)f(editors,)i Fa(Privacy)h(Enhancing)663
+4193 y(T)-6 b(e)l(chnolo)l(gies)29 b(\(PET)e(2002\))p
+Fp(.)h(Springer)d(V)-6 b(erlag,)27 b(LNCS)e(2482,)i(2002.)523
+4284 y(22.)43 b(Andrei)22 b(Serjan)n(to)n(v,)i(Roger)g(Dingledine,)g
+(and)f(P)n(aul)h(Syv)n(erson.)30 b(F)-6 b(rom)22 b(a)i(tric)n(kle)g(to)
+f(a)h(\015o)r(o)r(d:)663 4375 y(Activ)n(e)36 b(attac)n(ks)g(on)h(sev)n
+(eral)g(mix)e(t)n(yp)r(es.)66 b(In)36 b(F)-6 b(abien)36
+b(P)n(etitcolas,)j(editor,)e Fa(Information)663 4467
+y(Hiding)27 b(\(IH)g(2002\))p Fp(.)g(Springer-V)-6 b(erlag,)26
+b(LNCS)g(\(forthcoming\),)g(2002.)523 4558 y(23.)43 b(Stuart)17
+b(G.)h(Stubblebine)f(and)g(P)n(aul)h(F.)g(Syv)n(erson.)j(Authen)n(tic)
+16 b(attributes)i(with)g(\014ne-grained)663 4649 y(anon)n(ymit)n(y)j
+(protection.)31 b(In)23 b(Y)-6 b(air)23 b(F)-6 b(rank)n(el,)23
+b(editor,)h Fa(Financial)h(Crypto)l(gr)l(aphy)k(\(F)n(C)c(2000\))p
+Fp(,)663 4741 y(pages)h(276{294.)j(Springer-V)-6 b(erlag,)26
+b(LNCS)f(1962,)j(2001.)p eop
%%Trailer
end
userdict /end-hook known{end-hook}if
Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -d -r1.46 -r1.47
--- econymics.tex 16 Dec 2002 11:20:54 -0000 1.46
+++ econymics.tex 16 Dec 2002 21:24:15 -0000 1.47
@@ -11,7 +11,8 @@
%\title{Issues in the Economics of Anonymity}
%\title{Topics in the Economics of Anonymity}
%\title{The Economics of Anonymity}
-\title{On the Economics of Anonymity}
+\title{On the Economics of Anonymity\\
+(Pre-proceedings Draft)}
\author{Alessandro Acquisti\inst{1} \and Roger Dingledine\inst{2} \and Paul Syverson\inst{3}}
\institute{SIMS, UC Berkeley
\email{(acquisti@sims.berkeley.edu)}
@@ -92,9 +93,10 @@
such commercial proxies are forced to trust them to protect traffic
information. Many users, particularly large organizations, are rightly
hesitant to use an anonymity infrastructure they do not control. However,
-running one's own system won't work: a system that carries traffic
-for only one organization cannot protect that organization from being
-identified. Nodes must carry traffic from others to provide cover.
+on an open network such as the Internet, running one's own system won't work:
+a system that carries traffic for only one organization will not hide the
+traffic entering and leaving that organization.
+Nodes must carry traffic from others to provide cover.
%Yet those others don't want to trust their
%traffic to a single entity either.
The only viable solution is to distribute trust. Each party can choose
@@ -109,7 +111,7 @@
nodes. In addition to the complexities of configuring current anonymity
software, running a node costs a significant amount of bandwidth and
processing power, most of which is used by `freeloading' users who do
-not themselves run nodes. Furthermore, when administrators are faced with
+not themselves run nodes. Moreover, when administrators are faced with
abuse complaints concerning illegal or antisocial use of their systems,
the very anonymity that they're providing precludes the usual solution
of suspending users or otherwise holding them accountable.
@@ -167,7 +169,7 @@
not having their messages tracked. Different agents might value
anonymity differently.
-Each agent $i$ (where $i=(1,...,N)$ and $N$ is the number of
+An agent $i$ (where $i=(1,...,N)$ and $N$ is the number of
potential participants in the mix-net) bases her strategy on the
following possible actions $a_{i}$:
@@ -619,6 +621,7 @@
Our goal is to highlight the economic rationale implicit in the
above inequalities. In the first case agent $i$ is comparing the
+benefits of the
contribution to her own anonymity of acting as a node to the
costs. Acting as a node dramatically increases anonymity, but it
will also bring more traffic-related costs to the agent. Agents
@@ -684,8 +687,8 @@
like \cite{Diaz02,Serj02} do not directly translate into monotonic
probability functions of the type traditionally used in game theory.
Furthermore, the actual level of anonymity will depend on the mix-net
-protocol and topology (cascade-based or synchronous networks will provide
-larger anonymity sets than asynchronous networks where traffic is divided
+protocol and topology (synchronous networks will provide
+larger anonymity sets than asynchronous networks for the same traffic divided
among the nodes).} Nevertheless, this framework can be mapped into the
model analyzed in \cite{palfrey-rosenthal-89} where two players decide
simultaneously whether to contribute to a public good.
@@ -808,7 +811,7 @@
tend to collapse when the benefits from being a node are not very high
compared to the costs. Paradoxically, it also breaks down when an
agent trusts another so much that she prefers to delegate away the task
-of being a node. The above considerations however also hint to other
+of being a node. The above considerations however also hint at other
possible solutions to reduce coordination costs. We now consider some
other mechanisms that can make these systems economically viable.
@@ -854,7 +857,7 @@
%cooperation.
\item \emph{``Special'' agents}. Such agents have a utility function
-which considers the social value of having an anonymous system, or are
+that considers the social value of having an anonymous system or are
otherwise paid or supported to provide such service. %The support might
%also come in form of reputation, as discussed below, or in financial
%form.
@@ -879,7 +882,7 @@
passing through the node), the high-sensitivity agents will
gravitate to safe nodes, causing more traffic and improving their safety
further (and lowering the safety of other nodes). In our model the
-system will stabilize with one or a few remailers. In reality, though,
+system will stabilize with one or a few mix nodes. In reality, though,
$p_a$ is influenced not just by $n_h$ but
also by jurisdictional diversity --- a given high-sensitivity sender is
happier with a diverse set of mostly busy nodes than with a set of very busy
@@ -941,7 +944,8 @@
and similar techniques rely on humans to make initial trust decisions, and
then bound trust flow over a certification graph. However, so far none of
these trust flow approaches have provided a clear solution to the problem.
-Another potential solution, a global PKI to ensure unique identities, is
+Another potential solution, a global PKI to ensure unique
+identities~\cite{gup}, is
unlikely to emerge any time soon.
\subsection{Dishonest Nodes vs.\ Lazy Nodes}
@@ -991,7 +995,7 @@
Surveys and analysis on actual attacks on actual systems (e.g., \cite
{nymserver98}) can help determine which forms of attacks are frequent, how
dangerous they are, and whether economic incentives or technical answers are
-the best way to counter them.
+the best countermeasures.
\subsection{Bootstrapping The System And Perceived Costs}
\label{sec:bootstrapping}
@@ -1026,12 +1030,13 @@
Note that here again reliability becomes an issue,
since we must consider both the benefits from sending a message \textit{and }%
-keeping it anonymous. If the benefits of sending the message are not that
-high in first instance, then the agents with low sensitivity will
-have fewer incentives to spend anything to maintain anonymity of the message.
-Given that in our model we consider the costs and benefits of
-using a certain system, we can of course extend the analysis to the
-comparison between different systems with different costs/benefit
+keeping it anonymous. If the benefits of sending a message are not that
+high to begin with, then a low sensitivity agent will
+have fewer incentives to spend anything on the message's anonymity.
+We can also extend the analysis from our
+model that considers the costs and benefits of a single system
+to the
+comparison of different systems with different costs/benefit
characteristics. We comment more on this in the conclusion.
%Note in this case that the choice of agents with lower privacy sensitivity
@@ -1092,10 +1097,10 @@
its node, it will have to generate them as dummy traffic in order not to pay
a penalty.
-\item Reliability. Related to the above, we should add reliability issues
+\item Reliability. As noted above, we should add reliability issues
to the model.
-\item Strategic dishonest nodes. We have discussed above that it is
+\item Strategic dishonest nodes. As we discussed, it is
probably more economically sound for an agent to be a lazy node than an
anonymity-attacking node. Assuming that strategic bad nodes can exist, we
should study the incentives to act honestly or dishonestly and the effect on
@@ -1114,8 +1119,7 @@
\item Reputation. Reputation can have a powerful impact on the framework
above in that it changes the assumption that traffic will distribute
-uniformly across nodes. We should study this extension more formally along
-the lines described above.
+uniformly across nodes. We should extend our analysis to study this more formally.
\item Information theoretic metric. We should extend the analysis of
information theoretic metrics in order to formalize the functional forms in
@@ -1154,8 +1158,7 @@
authority to redistribute payments may be more practical.
\end{itemize}
-\section*{Acknowledgments}
-
+\section*{Acknowledgements}
Work on this paper was supported by ONR.\@ Thanks to John
Bashinski, Nick Mathewson, Hal Varian, and the anonymous referees
for helpful comments.
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/