1Reputation in Privacy Enhancing TReputation in Privacy Enhancing TReputation in Privacy Enhancing TReputation in Privacy Enhancing TReputation in Privacy Enhancing TechnologiesechnologiesechnologiesechnologiesechnologiesRoger Dingledine, Nick Mathewson, andRoger Dingledine, Nick Mathewson, andRoger Dingledine, Nick Mathewson, andRoger Dingledine, Nick Mathewson, andRoger Dingledine, Nick Mathewson, andPaul SyversonPaul SyversonPaul SyversonPaul SyversonPaul SyversonReputation Technologies, Inc. Naval Research LaboratoryReputation is the linchpin of a dynamic and pseudonymous future. In a networked world whereindividuals interact via anonymous remailers, and where the online services they use are themselvesprovided by an ever-changing pool of semi-anonymous users, the distinction between pseudonym andidentity blurs. In this world, reputation is one of the few tools that can still provide trust — trust amongthe users of distributed services, and even the trust necessary to maintain reliability and accountabilityof these services.In its most general form, reputation is memory about past performance. This memory can belocalized and idiosyncratic, as in the case of users that remember which servers have worked well in thepast; centralized and shared, as in the case of an auction site that tracks customer satisfaction of variousvendors; distributed and shared, as in the case of servers that vote one another into different reliabilitycategories; or even implicit within the structure of the system itself, as in the case of systems thatembody trust as microcurrency that reliable systems tend to accumulate.While reputation might superficially seem inimical to privacy concerns, systems with explicitreputation can actually enable privacy by controlling the flow of information about pseudonymousindividuals, and reducing the demand for out-of-line information exposure.As with security, it is tempting but incorrect to think that reputation is a simple matter of boltingan extra service to the side of an existing system. This point is illustrated by two reputation systems thathave been designed for use in remailer networks.An Example: Remailer NetworksAn Example: Remailer NetworksAn Example: Remailer NetworksAn Example: Remailer NetworksAn Example: Remailer NetworksRemailer networks allow people to send and receive mail while protecting their identities. Today’sremailer networks use a handful of long-lived, static servers with fairly uniform reliability. Currentlydeployed reputation systems send periodic test messages through each remailer to determine which areCopyright is held by the author/owner.2currently working. This “pinging” approach works well enough for a small static list of servers. How-ever, a network that is made of a small static set of remailers is potentially vulnerable to a well-fundedadversary in a variety of ways, e.g., denial of service or remailer compromise. Any solution based onlyon hardening the nodes runs contrary to the basic premise of remailers that trust is distributed ratherthan mutually assured. Thus, to better resist a well-funded adversary, the remailer network must growso it has enough nodes to properly distribute trust. Pinging for reputation breaks down in an environ-ment where the network is made up of many transient volunteer nodes. On the other hand, an adversarymight render a growing, dynamic network useless by volunteering a flood of unreliable remailers, or itmight manipulate the reputation system to improve the standing of remailers it owns.The first design, presented in [1], describes a reputation system for improving remailer reliability.Remailer reputation is based on both positive and negative performance. It is not enough to just keeptrack of failures, because new unreliable remailers would be rated the same or better than remailers thatconsistently perform well. In this design, each remailer in the message’s path passes back a receipt tothe one behind it. Senders can successively query for receipts to determine which remailer to blame fordelivery failure. However, a remailer might refuse to provide a receipt for a particular message eitherbecause it failed to send the message, or because it was unable to obtain a receipt from the next hop. Wesolve the problem of pinpointing failures by introducing a set of weakly trusted global witnesses. Thesewitnesses are contacted when the next hop in the path refuses the message, allowing a remailer to provethat it made a best-effort delivery attempt. Senders can also tell witnesses about remailers that silentlydropped messages (meaning they got a copy but did not attempt to pass it on). These witnesses verifyand tally failures, and also send their own test messages to distinguish reliable remailers from new onesthat have not yet been tested. Reputations are tabulated and made available to client software, whichcan use them to choose reliable remailers for sending anonymous mail.This reputation system attempts to improve reliability in a long-term sense, rather than givingprovable delivery guarantees for each message. On the other hand, it still relies both on proofs ofcorrect behavior to establish reputations, and trusted witnesses to determine and keep track of them.The reputation system in [3] does away with trusted witnesses and proofs in favor of self-rating groupsof remailers. Remailers are arranged in cascades (fixed-order routes of determinate length). New cas-cades are formed at a regular interval, e.g., one day, and the formation of cascades is based on a com-munally generated random value so that no set of collaborating remailers can predict which remailerwill be in which cascade, as long as at least one of them is honest. Remailers send test messagesthrough their own cascades and can also receive evidence of failure from client senders. Rather thandepending on proofs of remailer performance, a cascade fails when and only when some member ofthat cascade has declared it to have failed. All members of cascades that do not fail during an intervalincrease in reputation; all members of cascades that fail decrease. To make it harder for the head remailerof a cascade to undetectably fail or fail selectively, each of the cascade members is responsible for aportion of the messages that go through a cascade in each batch. In effect, each member is the head forsome of the messages. Similarly, the tail of the cascade sends each message in a batch to each of theother cascade members rather than
View Full Document
Unlocking...