incentives, privacy, and anonymity in diffuse computing: results and future directions supported by...
TRANSCRIPT
Incentives, Privacy, and Anonymity in Diffuse Computing:
Results and Future Directions
Supported by the DoD URI program
under ONR grant N00014-01-1-0795
Speaker:Joan Feigenbaum
http://www.cs.yale.edu/homes/jf
SPYCE Objective:Scalable Distributed Assurance
Develop fundamental understanding, models, algorithms, and network testbed, in order to reduce cost, improve performance, and provide higher reliability for networked operations across untrusted networks.
Incentives, Privacy, and Anonymity
Protocol Design and Analysis
Trust Management
Network Architecture
Smart devices diffuse into the environment….
… with control and assurance
Desktop ‘80s
Room ‘40s
Wearable ‘90s
Pervasive ‘00s
Why Incentive Compatibility Matters in Diffuse Computing
Shift in focus from platform to networkPreviously “independent” actors are
now part of a “continuously adapting” computational ecosystem
Strategic choices are important for adaptation or even survival in this ecosystem
[Cebrowski & Garstka ’98] [SPYCE proposal ’00]
Example: Interdomain Routing
Qwest
Sprint
Cable &Wireless
UUNET
Agents: Transit Autonomous SystemsInputs: Routing Costs or PreferencesOutputs: Routes, Payments
Example: Interdomain Routing3 Desiderata
IncentiveCompatibility
BackwardCompatibility
RealisticRoutingModel
Can get 2 out of 32 are SPYCE achievements
Open question for option:
Can we satisfy all 3?BG
PPolicy
Routing
Lowest-CostRouting
Sample SPYCE Accomplishments on Incentives
Rational, Multiparty Function Evaluation [Cornell Stanford]−Impossible with fixed upper bound on # rounds−Feasible for any “non-cooperatively computable
function” if # rounds is a random variable Multicast cost sharing [Yale Berkeley Stanford]
−Welfare maximization is easy−Budget balancing is hard
Economics of Anonymity Systems [NRL et al.]−Free riding can be beneficial−Price discrimination doesn’t work well
Incentivizing cooperation in Ad Hoc Networks [Yale]−Cryptography prevents cheating in Sprite
payment system−Performance can suffer if batteries are low
Why Privacy Protection Matters in Diffuse Computing
Organizational privacy critical to CIP Diffusion of computational responsibility:
- May increase prevalence of sensitive databases - May increase exposure of sensitive databases
Privacy vs Utility trade-off: two extremes-No information; complete privacy-Complete information; no privacy
SPYCE approach: find a middle path- Preserve macroscopic properties- “Disguise” individual identifying information
The SPYCE Approach [MS et al.]
Crypto-flavored definitions- Mathematical characterization of Adversary’s
goal Intuition: single out someone from the crowd
- Precise definition of when sanitization fails Intuition: seeing sanitized DB gives Adversary
an advantageStatistical Techniques
- Perturbation of attribute values- Amounts depend on local densities of points
Highly abstracted version of problem- If we can’t understand this, can’t understand real
life- If we get negative results here, bad news for CIP
Flavor of Results (Preliminary)
Focus on high-dimensional, probabilistically generated geometric data
Sample results-Adversary who knows the generators still
has a low probability of isolating points New proof techniques
Only special cases so far
- Legit users who do not know the generators can still compute means with high probability
Why Anonymity Mattersin Diffuse Computing
Diffuse-computing system requirements:• Every message has a high probability of
correct delivery• Every message has a low probability of
anonymity compromise• Only practical protocols (No ZK proofs...)• Minimal assumptions about the honesty
and competence of participants• No central trusted parties that know
everyone’s identities
Sample SPYCE Accomplishmentson Anonymity
Reputation in anonymizing networks [NRL]- Inherent tension between reputation and anonymity- Designed reputation system to distinguish honest
network nodes from dishonest nodes- Resilient against “creeping-death problem”
(coalitions of dishonest agents can gain reputation)
Anonymity taxonomy [SRI] Formalizing anonymity [NRL, SRI, Cornell]
- Cornell work inspired by SRI SPYCE work - A knowledge-based approach to anonymity
Focal Point for the SPYCE Option
Combine the study of incentives, privacy, and anonymity
Derive hardness results in diffuse computing. Hardness stems from interplay of computational requirements and incentive-compatibility requirements (as in budget-balanced multicast cost sharing)
Use hardness as a building block in private algorithmic mechanisms or anonymous algorithmic mechanisms
Backup Material
Citations (See SPYCE Web Page)
Page 5: Lowest-cost-routing results: Feigenbaum, Mitchell, Papadimitriou, Sami, Shenker, Talwar, Teague Policy-routing results: Feigenbaum, Sami, Shenker
Page 6: Rational multi-party function evaluation results: Halpern and TeagueMulticast cost sharing results: Archer, Feigenbaum, Krishnamurthy, Mitchell, Papadimitriou, Sami, Shenker, Talwar, TeagueEconomics of anonymity results: Acquisti, Dingledine, SyversonAd hoc networking results: Zhong, Chen, Yang
Page 8: Privacy results: Chawla, Dwork, McSherry, Smith,Stockmeyer, Wee
Page 11: Reputation results: Dingledine, SyversonTaxonomy results: Hughes, Lincoln, ShmatikovFormalization results: Halpern, O’Neill, Shmatikov, Syverson