%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%deffont "standard" xfont "comic sans ms-medium-r" %%deffont "thick" xfont "arial black-medium-r" %%deffont "typewriter" xfont "courier new-bold-r" %%deffont "type2writer" xfont "arial narrow-bold-r" %%deffont "standard" tfont "standard.ttf", tmfont "kochi-mincho.ttf" %%deffont "thick" tfont "thick.ttf", tmfont "goth.ttf" %%deffont "typewriter" tfont "typewriter.ttf", tmfont "goth.ttf" %deffont "standard" xfont "helvetica-medium-r", tfont "arial.ttf", tmfont "times.ttf" %deffont "thick" xfont "helvetica-bold-r", tfont "arialbd.ttf", tmfont "hoso6.ttf" %deffont "italic" xfont "helvetica-italic-r", tfont "ariali.ttf", tmfont "hoso6.ttf" %deffont "typewriter" xfont "courier-medium-r", tfont "typewriter.ttf", tmfont "hoso6.ttf" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Default settings per each line numbers. %% %default 1 leftfill, size 8, fore "black", back "white", font "thick", hgap 1 %default 2 size 8, vgap 10, prefix " ", ccolor "black" %default 3 size 6, bar "gray70", vgap 0 %default 4 size 6, fore "black", vgap 0, prefix " ", font "standard" %% %%default 1 area 90 90, leftfill, size 9, fore "yellow", back "blue", font "thick" %%default 2 size 9, vgap 10, prefix " " %%default 3 size 7, bar "gray70", vgap 10 %%default 4 size 7, vgap 30, prefix " ", font "standard" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 5, vgap 40, prefix " ", icon arc "red" 50 %tab 2 size 4, vgap 35, prefix " ", icon delta3 "blue" 40 %tab 3 size 3, vgap 35, prefix " ", icon dia "DarkViolet" 40 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %center, size 9, font "thick", back "white", fore "black" Reputation and Anonymity %size 7 Roger Dingledine The Free Haven Project %font "typewriter", fore "blue" http://freehaven.net/ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Overview %leftfill Background on anonymity (economics) %%Why we think reputation can help The problem: reliability Background on reputation Why reputation isn't the silver bullet Lessons learned, example systems Open problems %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What do I mean by anonymity? We want to prevent an adversary from linking sender to receiver sender to message publisher to reader Even an adversary who can watch a lot of the network, watch the sender, run nodes, etc Generally done by using multiple nodes for a transaction Not steganography, not just leaving your name off %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Many people need anonymity %leftfill Individuals are tracked and profiled daily Imagine your dossier in twenty years (If that doesn't scare you, think of your kids) %size 6 Political dissidents in oppressive countries Governments want to do operations secretly Corporations vulnerable to traffic analysis: VPNs, encryption don't block corporate espionage %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Anonymity is at odds with usability %leftfill Anonymity requires %cont, font "italic" inefficiencies %cont, font "standard" in computation, bandwidth, storage Unlike encryption, it's not enough for just one person to want anonymity: the infrastructure must participate %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Hide users with users Anonymity systems use messages to hide messages (the more noise, the more anonymous something in that noise is) Senders are consumers of anonymity, and providers of the cover traffic that creates anonymity for others Users might be better off on crowded systems, even if those systems have weaker anonymity designs %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%page %% %%More users is good %% %%High traffic => better performance %% %%Better performance => high traffic %% %%Attracts more users: faster %%%cont, font "italic" %%and %%%cont, font "standard" %%more anonymous %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%page %% %%Beware of trust bottlenecks %% %%Nodes with more traffic must be more trusted %% %%Adversary who wants more traffic should provide good service %% %%(and knock down other good providers) %% %%Performance and efficiency metrics %%%cont, font "italic" %%cannot %%%cont, font "standard" %%distinguish bad guys from good guys %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Strong anonymity requires distributed trust An anonymity system can't be just for one entity (even a large corporation or government) You must carry traffic for others to protect yourself But those others don't want to trust their traffic to just one entity either %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page An Economics of Anonymity Systems need cover traffic (many low-sensitivity users) to attract the high-sensitivity users Most users do not value anonymity much Weak security (fast system) can mean more users which can mean %cont, font "italic" stronger %cont, font "standard" anonymity High-sensitivity agents have incentive to run nodes so they can be certain first node in their path is good to attract cover traffic for their messages There can be an optimal level of free-riding %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Reliability is critical for anonymity systems Traditional accountability (eg contract) doesn't work Since we don't know full network state, transactions tend to be unreliable With many nodes, each node won't interact with everybody often Free riding, abuse, anonymity attacks Maybe reputation can help... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Facets of Reputation Reputation as a signal: Tool to predict the future based on past behavior Reputation as a sanction: Tool to change the future by giving people incentive to behave well Tool for risk management %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Reputation is problematic in anonymity systems Attacker or freeloader can cheaply throw away bad-reputation nodes. Hard to detect/verify a node's behavior while maintaining anonymity. We had to redesign systems to support this! Reputation information can be exploited to subvert anonymity... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Reputation can be exploited A node can't measure all nodes. If he measures only some, he gives away which ones he might use. A central reputation server can give different info to different people. Must replicate and coordinate? Adversary has incentive to get good reputation --- and discredit other nodes --- to see more traffic Tension between giving users accurate timely information, and preventing adversary from manipulating user behavior %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Example: Free-route mix-net Mixes write per-hop receipts to prove good service; witnesses verify and tally failure claims. But: Global witnesses are trust and communication %cont, font "italic" bottlenecks %font "standard" Owning high reputation nodes means you own more paths? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Example: Cascade mix-net Cascades rearrange periodically (eg daily) A node fails its own cascade if it detects misbehavior Nodes send test messages to monitor their cascades Senders can demonstrate decryptions to show failure All nodes in cascade get +1 reputation if it succeeds, -1 if it fails. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Example: Free Haven Decentralized anonymous publishing system Publishers decide lifetime of their file Servers trade files around (dynamic system, plausibility) Tit for tat: I'll store your file if you'll store mine. Hard: need reputation system to determine who will cheat Harder: how do you verify a claim? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page More open topics Are dynamic p2p systems that need reliability and don't allow verifying claims doomed? Altruism, redundancy, other factors? Can we implement reputation with currency? May allow easier decentralization. Incentives: If anonymity for all requires each user doing similar things, how do we deal with users who don't want as much anonymity? Do we have to abandon statistical rigor in the face of dynamic systems and adversaries?