try to address #5660:

author: Christian Grothoff <christian@grothoff.org> 2019-04-20 21:45:25 +0200
committer: Christian Grothoff <christian@grothoff.org> 2019-04-20 21:45:25 +0200
commit: 32485c3b58983ada1943b3fa27eac3b0cff2a9da (patch)
tree: 1e439c5054194faef2f52a86f16a7c13f5f5aa20 /doc/handbook
parent: 5fab02b10baef639121723aacf3b1351e5db8003 (diff)
download: gnunet-32485c3b58983ada1943b3fa27eac3b0cff2a9da.tar.gz
gnunet-32485c3b58983ada1943b3fa27eac3b0cff2a9da.zip
2 files changed, 26 insertions, 16 deletions
diff --git a/doc/handbook/chapters/keyconcepts.texi b/doc/handbook/chapters/keyconcepts.texi
index 4b49a7ffb..4900ed328 100644
--- a/doc/handbook/chapters/keyconcepts.texi
+++ b/doc/handbook/chapters/keyconcepts.texi
@@ -15,7 +15,7 @@ The second part describes concepts specific to anonymous file-sharing.
 * Accounting to Encourage Resource Sharing::
 * Confidentiality::
 * Anonymity::
-* Deniability::                       
+* Deniability::
 * Peer Identities::
 * Zones in the GNU Name System (GNS Zones)::
 * Egos::
@@ -165,16 +165,20 @@ and Bart Preneel. Towards measuring anonymity.
 (@uref{https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf, https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf}))
 that can help quantify the level of anonymity that a given mechanism
 provides, there is no such thing as "complete anonymity".
 GNUnet's file-sharing implementation allows users to select for each
 operation (publish, search, download) the desired level of anonymity.
-The metric used is the amount of cover traffic available to hide the
+The metric used is based on the amount of cover traffic needed to hide
-request.
+the request.
-While this metric is not as good as, for example, the theoretical metric
-given in scientific metrics,
+While there is no clear way to relate the amount of available cover
-it is probably the best metric available to a peer with a purely local
+traffic to traditional scientific metrics such as the anonymity set or
-view of the world that does not rely on unreliable external information.
+information leakage, it is probably the best metric available to a
-The default anonymity level is @code{1}, which uses anonymous routing but
+peer with a purely local view of the world, in that it does not rely
-imposes no minimal requirements on cover traffic. It is possible
+on unreliable external information or a particular adversary model.
+The default anonymity level is @code{1}, which uses anonymous routing
+but imposes no minimal requirements on cover traffic. It is possible
 to forego anonymity when this is not required. The anonymity level of
 @code{0} allows GNUnet to use more efficient, non-anonymous routing.
@@ -192,7 +196,7 @@ In particular, we assume that the adversary can see all the traffic on
 the Internet. And while we assume that the adversary
 can not break our encryption, we assume that the adversary has many
 participating nodes in the network and that it can thus see many of the
-node-to-node interactions since it controls some of the nodes. 
+node-to-node interactions since it controls some of the nodes.
 The system tries to achieve anonymity based on the idea that users can be
 anonymous if they can hide their actions in the traffic created by other
@@ -235,7 +239,7 @@ Even if the user that downloads data and the server that provides data are
 anonymous, the intermediaries may still be targets. In particular, if the
 intermediaries can find out which queries or which content they are
 processing, a strong adversary could try to force them to censor
-certain materials. 
+certain materials.
 With the file-encoding used by GNUnet's anonymous file-sharing, this
 problem does not arise.
diff --git a/doc/handbook/chapters/user.texi b/doc/handbook/chapters/user.texi
index 37c5849ab..55518bc34 100644
--- a/doc/handbook/chapters/user.texi
+++ b/doc/handbook/chapters/user.texi
@@ -1054,8 +1054,17 @@ anonymity level of "1" means that anonymous routing is desired, but no
 particular amount of cover traffic is necessary. A powerful adversary
 might thus still be able to deduce the origin of the traffic using
 traffic analysis. Specifying higher anonymity levels increases the
-amount of cover traffic required. While this offers better privacy,
+amount of cover traffic required.
-it can also significantly hurt performance.
+The specific numeric value (for anonymity levels above 1) is simple:
+Given an anonymity level L (above 1), each request FS makes on your
+behalf must be hidden in L-1 equivalent requests of cover traffic
+(traffic your peer routes for others) in the same time-period.  The
+time-period is twice the average delay by which GNUnet artificially
+delays traffic.
+While higher anonymity levels may offer better privacy, they can also
+significantly hurt performance.
 @node Content Priority
 @subsubsection Content Priority
@@ -2324,6 +2333,3 @@ service offered by that peer, you can create an IP tunnel to
 that peer by specifying the peer's identity, service name and
 protocol (--tcp or --udp) and you will again receive an IP address
 that will terminate at the respective peer's service.
author	Christian Grothoff <christian@grothoff.org>	2019-04-20 21:45:25 +0200
committer	Christian Grothoff <christian@grothoff.org>	2019-04-20 21:45:25 +0200
commit	32485c3b58983ada1943b3fa27eac3b0cff2a9da (patch)
tree	1e439c5054194faef2f52a86f16a7c13f5f5aa20 /doc/handbook
parent	5fab02b10baef639121723aacf3b1351e5db8003 (diff)
download	gnunet-32485c3b58983ada1943b3fa27eac3b0cff2a9da.tar.gz gnunet-32485c3b58983ada1943b3fa27eac3b0cff2a9da.zip

diff --git a/doc/handbook/chapters/keyconcepts.texi b/doc/handbook/chapters/keyconcepts.texi index 4b49a7ffb..4900ed328 100644 --- a/doc/handbook/chapters/keyconcepts.texi +++ b/doc/handbook/chapters/keyconcepts.texi
@@ -15,7 +15,7 @@ The second part describes concepts specific to anonymous file-sharing.
15	* Accounting to Encourage Resource Sharing::	15	* Accounting to Encourage Resource Sharing::
16	* Confidentiality::	16	* Confidentiality::
17	* Anonymity::	17	* Anonymity::
18	* Deniability::	18	* Deniability::
19	* Peer Identities::	19	* Peer Identities::
20	* Zones in the GNU Name System (GNS Zones)::	20	* Zones in the GNU Name System (GNS Zones)::
21	* Egos::	21	* Egos::
@@ -165,16 +165,20 @@ and Bart Preneel. Towards measuring anonymity.
165	(@uref{https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf, https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf}))	165	(@uref{https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf, https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf}))
166	that can help quantify the level of anonymity that a given mechanism	166	that can help quantify the level of anonymity that a given mechanism
167	provides, there is no such thing as "complete anonymity".	167	provides, there is no such thing as "complete anonymity".
		168
168	GNUnet's file-sharing implementation allows users to select for each	169	GNUnet's file-sharing implementation allows users to select for each
169	operation (publish, search, download) the desired level of anonymity.	170	operation (publish, search, download) the desired level of anonymity.
170	The metric used is the amount of cover traffic available to hide the	171	The metric used is based on the amount of cover traffic needed to hide
171	request.	172	the request.
172	While this metric is not as good as, for example, the theoretical metric	173
173	given in scientific metrics,	174	While there is no clear way to relate the amount of available cover
174	it is probably the best metric available to a peer with a purely local	175	traffic to traditional scientific metrics such as the anonymity set or
175	view of the world that does not rely on unreliable external information.	176	information leakage, it is probably the best metric available to a
176	The default anonymity level is @code{1}, which uses anonymous routing but	177	peer with a purely local view of the world, in that it does not rely
177	imposes no minimal requirements on cover traffic. It is possible	178	on unreliable external information or a particular adversary model.
		179
		180	The default anonymity level is @code{1}, which uses anonymous routing
		181	but imposes no minimal requirements on cover traffic. It is possible
178	to forego anonymity when this is not required. The anonymity level of	182	to forego anonymity when this is not required. The anonymity level of
179	@code{0} allows GNUnet to use more efficient, non-anonymous routing.	183	@code{0} allows GNUnet to use more efficient, non-anonymous routing.
180		184
@@ -192,7 +196,7 @@ In particular, we assume that the adversary can see all the traffic on
192	the Internet. And while we assume that the adversary	196	the Internet. And while we assume that the adversary
193	can not break our encryption, we assume that the adversary has many	197	can not break our encryption, we assume that the adversary has many
194	participating nodes in the network and that it can thus see many of the	198	participating nodes in the network and that it can thus see many of the
195	node-to-node interactions since it controls some of the nodes.	199	node-to-node interactions since it controls some of the nodes.
196		200
197	The system tries to achieve anonymity based on the idea that users can be	201	The system tries to achieve anonymity based on the idea that users can be
198	anonymous if they can hide their actions in the traffic created by other	202	anonymous if they can hide their actions in the traffic created by other
@@ -235,7 +239,7 @@ Even if the user that downloads data and the server that provides data are
235	anonymous, the intermediaries may still be targets. In particular, if the	239	anonymous, the intermediaries may still be targets. In particular, if the
236	intermediaries can find out which queries or which content they are	240	intermediaries can find out which queries or which content they are
237	processing, a strong adversary could try to force them to censor	241	processing, a strong adversary could try to force them to censor
238	certain materials.	242	certain materials.
239		243
240	With the file-encoding used by GNUnet's anonymous file-sharing, this	244	With the file-encoding used by GNUnet's anonymous file-sharing, this
241	problem does not arise.	245	problem does not arise.


diff --git a/doc/handbook/chapters/user.texi b/doc/handbook/chapters/user.texi index 37c5849ab..55518bc34 100644 --- a/doc/handbook/chapters/user.texi +++ b/doc/handbook/chapters/user.texi
@@ -1054,8 +1054,17 @@ anonymity level of "1" means that anonymous routing is desired, but no
1054	particular amount of cover traffic is necessary. A powerful adversary	1054	particular amount of cover traffic is necessary. A powerful adversary
1055	might thus still be able to deduce the origin of the traffic using	1055	might thus still be able to deduce the origin of the traffic using
1056	traffic analysis. Specifying higher anonymity levels increases the	1056	traffic analysis. Specifying higher anonymity levels increases the
1057	amount of cover traffic required. While this offers better privacy,	1057	amount of cover traffic required.
1058	it can also significantly hurt performance.	1058
		1059	The specific numeric value (for anonymity levels above 1) is simple:
		1060	Given an anonymity level L (above 1), each request FS makes on your
		1061	behalf must be hidden in L-1 equivalent requests of cover traffic
		1062	(traffic your peer routes for others) in the same time-period. The
		1063	time-period is twice the average delay by which GNUnet artificially
		1064	delays traffic.
		1065
		1066	While higher anonymity levels may offer better privacy, they can also
		1067	significantly hurt performance.
1059		1068
1060	@node Content Priority	1069	@node Content Priority
1061	@subsubsection Content Priority	1070	@subsubsection Content Priority
@@ -2324,6 +2333,3 @@ service offered by that peer, you can create an IP tunnel to
2324	that peer by specifying the peer's identity, service name and	2333	that peer by specifying the peer's identity, service name and
2325	protocol (--tcp or --udp) and you will again receive an IP address	2334	protocol (--tcp or --udp) and you will again receive an IP address
2326	that will terminate at the respective peer's service.	2335	that will terminate at the respective peer's service.
2327
2328
2329