Incentives, Privacy, and Anonymity in Diffuse Computing:

Results and Future Directions

Supported by the DoD URI program

under ONR grant N00014-01-1-0795

Speaker:Joan Feigenbaum

http://www.cs.yale.edu/homes/jf

SPYCE Objective:Scalable Distributed Assurance

Develop fundamental understanding, models, algorithms, and network testbed, in order to reduce cost, improve performance, and provide higher reliability for networked operations across untrusted networks.

Incentives, Privacy, and Anonymity

Protocol Design and Analysis

Trust Management

Network Architecture

Smart devices diffuse into the environment….

… with control and assurance

Desktop ‘80s

Room ‘40s

Wearable ‘90s

Pervasive ‘00s

Why Incentive Compatibility Matters in Diffuse Computing

Shift in focus from platform to networkPreviously “independent” actors are

now part of a “continuously adapting” computational ecosystem

Strategic choices are important for adaptation or even survival in this ecosystem

[Cebrowski & Garstka ’98] [SPYCE proposal ’00]

Example: Interdomain Routing

Qwest

Sprint

Cable &Wireless

UUNET

Agents: Transit Autonomous SystemsInputs: Routing Costs or PreferencesOutputs: Routes, Payments

Example: Interdomain Routing3 Desiderata

IncentiveCompatibility

BackwardCompatibility

RealisticRoutingModel

Can get 2 out of 32 are SPYCE achievements

Open question for option:

Can we satisfy all 3?BG

PPolicy

Routing

Lowest-CostRouting

Sample SPYCE Accomplishments on Incentives

Rational, Multiparty Function Evaluation [Cornell Stanford]−Impossible with fixed upper bound on # rounds−Feasible for any “non-cooperatively computable

function” if # rounds is a random variable Multicast cost sharing [Yale Berkeley Stanford]

−Welfare maximization is easy−Budget balancing is hard

Economics of Anonymity Systems [NRL et al.]−Free riding can be beneficial−Price discrimination doesn’t work well

Incentivizing cooperation in Ad Hoc Networks [Yale]−Cryptography prevents cheating in Sprite

payment system−Performance can suffer if batteries are low

Why Privacy Protection Matters in Diffuse Computing

Organizational privacy critical to CIP Diffusion of computational responsibility:

- May increase prevalence of sensitive databases - May increase exposure of sensitive databases

Privacy vs Utility trade-off: two extremes-No information; complete privacy-Complete information; no privacy

SPYCE approach: find a middle path- Preserve macroscopic properties- “Disguise” individual identifying information

The SPYCE Approach [MS et al.]

Crypto-flavored definitions- Mathematical characterization of Adversary’s

goal Intuition: single out someone from the crowd

- Precise definition of when sanitization fails Intuition: seeing sanitized DB gives Adversary

an advantageStatistical Techniques

- Perturbation of attribute values- Amounts depend on local densities of points

Highly abstracted version of problem- If we can’t understand this, can’t understand real

life- If we get negative results here, bad news for CIP

Flavor of Results (Preliminary)

Focus on high-dimensional, probabilistically generated geometric data

Sample results-Adversary who knows the generators still

has a low probability of isolating points New proof techniques

Only special cases so far

- Legit users who do not know the generators can still compute means with high probability

Why Anonymity Mattersin Diffuse Computing

Diffuse-computing system requirements:• Every message has a high probability of

correct delivery• Every message has a low probability of

anonymity compromise• Only practical protocols (No ZK proofs...)• Minimal assumptions about the honesty

and competence of participants• No central trusted parties that know

everyone’s identities

Sample SPYCE Accomplishmentson Anonymity

Reputation in anonymizing networks [NRL]- Inherent tension between reputation and anonymity- Designed reputation system to distinguish honest

network nodes from dishonest nodes- Resilient against “creeping-death problem”

(coalitions of dishonest agents can gain reputation)

Anonymity taxonomy [SRI] Formalizing anonymity [NRL, SRI, Cornell]

- Cornell work inspired by SRI SPYCE work - A knowledge-based approach to anonymity

Focal Point for the SPYCE Option

Combine the study of incentives, privacy, and anonymity

Derive hardness results in diffuse computing. Hardness stems from interplay of computational requirements and incentive-compatibility requirements (as in budget-balanced multicast cost sharing)

Use hardness as a building block in private algorithmic mechanisms or anonymous algorithmic mechanisms

Backup Material

Citations (See SPYCE Web Page)

Page 5: Lowest-cost-routing results: Feigenbaum, Mitchell, Papadimitriou, Sami, Shenker, Talwar, Teague Policy-routing results: Feigenbaum, Sami, Shenker

Page 6: Rational multi-party function evaluation results: Halpern and TeagueMulticast cost sharing results: Archer, Feigenbaum, Krishnamurthy, Mitchell, Papadimitriou, Sami, Shenker, Talwar, TeagueEconomics of anonymity results: Acquisti, Dingledine, SyversonAd hoc networking results: Zhong, Chen, Yang

Page 8: Privacy results: Chawla, Dwork, McSherry, Smith,Stockmeyer, Wee

Page 11: Reputation results: Dingledine, SyversonTaxonomy results: Hughes, Lincoln, ShmatikovFormalization results: Halpern, O’Neill, Shmatikov, Syverson