[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] more cleanup, particularly Section 7
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03
Modified Files:
econymics.tex
Log Message:
more cleanup, particularly Section 7
Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -d -r1.19 -r1.20
--- econymics.tex 16 Sep 2002 04:50:08 -0000 1.19
+++ econymics.tex 16 Sep 2002 05:13:07 -0000 1.20
@@ -80,7 +80,6 @@
\email{(syverson@itd.nrl.navy.mil)}}
\maketitle
-%\pagestyle{myheadings} \markboth{Towards an Econymics, Draft \today}{Towards an Econymics, Draft \today}
\pagestyle{plain}
\begin{abstract}
@@ -334,13 +333,15 @@
\begin{itemize}
\item through the mix-net system, $c_{s}$. This cost includes both direct
financial costs such as usage fees, as well as implicit costs such as the
-time to build an anonymous message, learning curve to get familiar with the
-system, and delays incurred when using the system. These delays should be
-positively correlated to the traffic $n_{s}$ and negatively correlated to
-the number of nodes $n_{h}$. % FIXME is this right? -RD
-In addition, when message delivery is guaranteed, a node might always choose
-a longer route to reduce risk. We could assign a higher $c_{s}$ to longer
-routes to reflect the cost of additional delay.
+time to build an anonymous message, learning curve to get familiar with
+the system, and delays incurred when using the system. At first these
+delays seem positively correlated to the traffic $n_{s}$ and negatively
+correlated to the number of nodes $n_{h}$. But counterintuitively, more
+messages per node might instead \emph{decrease} latency because nodes can
+process batches more often; see Section \ref{sec:alternate-incentives}. In
+addition, when message delivery is guaranteed, a node might always
+choose a longer route to reduce risk. We could assign a higher $c_{s}$
+to longer routes to reflect the cost of additional delay.
\item or through a conventional non-anonymous system, $c_{n}$.
@@ -408,12 +409,9 @@
c_{n}$.} Note that $\gamma $ and $\partial$ describe the probability of a
message being delivered and a message remaining anonymous, respectively.
These probabilities are weighted with the values $v_{r,a}$ because different
-agents might value anonymity and reliability differently,%\footnote{%
-%In other words, even if agents agree on metrics for reliability and
-%anonymity, some might care more about anonymity than
-%reliability, some vice versa.}
-and because in different scenarios anonymity and reliability for the same
-agent might have different impacts on her payoff.
+agents might value anonymity and reliability differently, and because in
+different scenarios anonymity and reliability for the same agent might
+have different impacts on her payoff.
While messages might be sent anonymously to avoid costs or to gain profits,
the costs and benefits from sending the message might be distinct from the
@@ -507,14 +505,14 @@
participants, plus the fact that earlier actions indicate only a weak
commitment to future actions,
% did my changes just make this statement incorrect?
-suggest against using a sequential approach \textit{a la } Stackleberg.
-%cite?
+suggest against using a sequential approach \textit{a la} Stackleberg.
+[cite]
With a large group size there might be no discernable nor agreeable order
for the actions of all participants, so actions can be considered
simultaneous. The limited commitment produced by earlier actions allow us to
consider a repeated-game scenario. We also imagine that the need to send a
message at each period is high enough that a ``war of attrition'' framework
-is not applicable.
+is not applicable. [explain war of attrition]
\subsection{Adversary}
@@ -527,14 +525,12 @@
choosing strategies agents will attach a subjective probability to arbitrary
nodes being compromised --- all nodes not run by the agent are assigned the
same probability of being compromised. This factor influences their
-assessment of the anonymity of messages they send. For our purposes, it will
-not matter whether the set of compromised nodes is static or dynamic (as in
-\cite{syverson_2000}). A purely passive adversary is unrealistic in most
-settings, e.g., it assumes that hostile users never selectively send
-messages at certain times or routes, and nodes and links never selectively
-trickle or flood messages \cite{trickle02}. Nonetheless, a \emph{global}
-passive adversary is still quite strong, and thus a typical starting point
-of anonymity analyses.
+assessment of the anonymity of messages they send. A purely passive
+adversary is unrealistic in most settings, e.g., it assumes that
+hostile users never selectively send messages at certain times or
+routes, and nodes and links never selectively trickle or flood messages
+\cite{trickle02}. Nonetheless, a \emph{global} passive adversary is still
+quite strong, and thus a typical starting point of anonymity analyses.
\subsection{Honest agents}
@@ -581,10 +577,7 @@
there are $n_{s}$ agents sending messages over $n_{h}$ and $n_{d}$ nodes,
and sending messages through a non-anonymous system, respectively. Each
period, the rational agent can compare the disutility coming from each of
-these three one-period strategies. %: only send her own
-%messages through the mix-net, $a_{s}$; or send her messages but also act as
-%node forwarding other users' messages, $a_{h}$; or send a message without
-%using the mix-net, $a_{n}$.
+these three one-period strategies.
\begin{equation*}
\begin{tabular}{cc}
@@ -670,14 +663,15 @@
(like \cite{Serj02,Diaz02}) do not directly translate into monotonic
probability functions of the type traditionally used in game theory.
Furthermore, the actual level of anonymity will depend on the mix-net
-protocol and topology (cascades will provide larger anonymity sets at each
-node than free-route networks). Nevertheless we can highlight the economic
-rationale implicit in the above equation. In the first comparison agent $i$
-is comparing her contribution to her own anonymity by acting as a node to
+protocol and topology (cascade-based or synchronous networks will provide
+larger anonymity sets than asynchronous networks where traffic is divided
+among the nodes). Nevertheless we can highlight the economic rationale
+implicit in the above equation. In the first comparison agent $i$ is
+comparing her contribution to her own anonymity by acting as a node to
the costs of doing so. Acting as a node dramatically increases anonymity,
-but it will also bring more traffic-related costs to the agent. Agents with
-high privacy sensitivity (high $v_{i}$) will be obviously keener in
-accepting the trade-off and becoming nodes.
+but it will also bring more traffic-related costs to the agent. Agents
+with high privacy sensitivity (high $v_{i}$) will be obviously keener
+in accepting the trade-off and becoming nodes.
\subsubsection{Strategic Agents: Simple Case}
@@ -803,7 +797,6 @@
mechanisms that can make mix-net systems economically viable in the next
section.
-
\section{Alternate incentive mechanisms}
\label{sec:alternate-incentives}
@@ -812,12 +805,12 @@
alternative mechanisms.
\begin{enumerate}
-\item Usage fee. Imagine a scenario where each participatant in the
+\item Usage fee. Imagine a scenario where each participant in the
system has to pay. The public good with free-riding problem discussed
above turns into a ``clubs'' scenario. Participating agents can elaborate
a pricing mechanism related to how much they expect to use the system or
how sensitive they are (which involves mechanism design and revelation
-mechanism). The Anonymizer offers
+mechanism [explain]). The Anonymizer offers
basic service at low costs to low sensitivity types (there is a
cost in the delay and the hassles of using the free service), and offers
better service for money. With usage fees, the cost of being a node
@@ -835,10 +828,10 @@
service. The risks here are congestion and non-optimal use \cite
{mackiemason-varian-95}.
-\item Public rankings and reputation. The incentives regarding
-reputation can come in the form of wanting a higher reputation to get
-more cover traffic, but also as one of the rewards for the ``special
-agents'' above. Just as the stats pages for seti@home \cite{seti-stats}
+\item Public rankings and reputation. The incentives regarding reputation
+can come in the form of wanting a higher reputation to get more cover
+traffic, but also as one of the rewards for the ``special agents''
+above. Just as the statistics pages for seti@home \cite{seti-stats}
encourage more participation, publically quantifying and ranking
generosity creates an incentive to participate. The incentives of public
recognition and wanting to donate service for the public good are very
@@ -942,8 +935,8 @@
and maintaining a position from which those attacks are effective ---
which will probably involve gaining reputation and acting as a node for
an extended period of time. Such adversaries will be in an arms race with
-protocol developers \cite{casc-rep} to stay undetected while performing
-their attacks. The benefits from successful attacks might be financial,
+protocol developers to stay undetected despite their attacks
+\cite{casc-rep}. The benefits from successful attacks might be financial,
as in the case of discovering and using sensitive information, or a
competitor's service being disrupted; or they could be purely related
to personal satisfaction. The costs following being discovered as a
@@ -987,6 +980,9 @@
using the system might be higher than the real costs --- especially when
the system is new and not well known --- that in the strategic decision
process described above they will decide against using the mix-net at all.
+Correct marketing seems critical to gaining critical mass in an anonymity
+system: in hindsight, perhaps Zero-Knowledge Systems would have gotten
+farther had it emphasized usability rather than security.
%Note in this case that the choice of agents with lower privacy sensitivity
%between different anonymous systems with different levels of anonymity (and
@@ -1033,7 +1029,7 @@
\section{Future Work}
We have described a basic model for characterizing and analyzing the various
-incentives that participants have to act either as senders or as nodes in
+incentives for participants to act either as senders or as nodes in
strong anonymity infrastructures. There are a number of directions for
future research:
@@ -1046,31 +1042,32 @@
its node, it will have to generate them as dummy traffic in order not to pay
a penalty.
+\item Reliability. Related to the above, we should add reliability issues to
+the model.
+
\item Strategic dishonest nodes. We have discussed above that it is
probably more economically sound for an agent to be a lazy node rather than
-a anonymity-attacking node. Assuming that strategic bad nodes can exist, we
-plan to study the incentives to act honestly or dishonestly and the effect
+an anonymity-attacking node. Assuming that strategic bad nodes can exist, we
+should study the incentives to act honestly or dishonestly and the effect
on reliability and anonymity.
-\item Reliability. Related to the above, we plan to further the study of
-reliabiliy issues in the model.
-
-\item Unknow agent types. We extend the above scenarios further to consider
-probability distribution of an agent about another agent's type.
+\item Unknown agent types. We should extend the above scenarios further
+to consider probability distribution for an agent's guess about another
+agent's privacy sensitivity.
-\item Comparison between systems. We plan to compare mix-net systems to
-other systems, as well as to use the above framework to compare the adoption
+\item Comparison between systems. We should compare mix-net systems to
+other systems, as well as use the above framework to compare the adoption
of systems with different characteristics.
-\item Exit nodes. We want to extend the above analysis to consider specific
-costs such as the potential costs associated to acting as an exit node.
+\item Exit nodes. We should extend the above analysis to consider specific
+costs such as the potential costs associated with acting as an exit node.
\item Reputation. Reputation can have a powerful impact on the framework
-above in that it violates the assumption that traffic will distribute
-uniformly across nodes. We plan to study formally this extension on the
-lines described above.
+above in that it changes the assumption that traffic will distribute
+uniformly across nodes. We should study this extension more formally
+along the lines described above.
-\item Information theoretic metric. We plan to extend the analysis of
+\item Information theoretic metric. We should extend the analysis of
information theoretic metrics in order to formalize the functional forms in
the agent payoff function.
\end{itemize}
@@ -1082,3 +1079,4 @@
\bibliography{econymics}
\end{document}
+
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/