6 files changed, 91 insertions, 99 deletions

diff --git a/doc/handbook/chapters/keyconcepts.texi b/doc/handbook/chapters/keyconcepts.texi
index 4b49a7ffb..4900ed328 100644
--- a/doc/handbook/chapters/keyconcepts.texi
+++ b/doc/handbook/chapters/keyconcepts.texi
@@ -15,7 +15,7 @@ The second part describes concepts specific to anonymous file-sharing.
 * Accounting to Encourage Resource Sharing::
 * Confidentiality::
 * Anonymity::
-* Deniability::                       
+* Deniability::
 * Peer Identities::
 * Zones in the GNU Name System (GNS Zones)::
 * Egos::
@@ -165,16 +165,20 @@ and Bart Preneel. Towards measuring anonymity.
 (@uref{https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf, https://git.gnunet.org/bibliography.git/plain/docs/article-89.pdf}))
 that can help quantify the level of anonymity that a given mechanism
 provides, there is no such thing as "complete anonymity".
+
 GNUnet's file-sharing implementation allows users to select for each
 operation (publish, search, download) the desired level of anonymity.
-The metric used is the amount of cover traffic available to hide the
-request.
-While this metric is not as good as, for example, the theoretical metric
-given in scientific metrics,
-it is probably the best metric available to a peer with a purely local
-view of the world that does not rely on unreliable external information.
-The default anonymity level is @code{1}, which uses anonymous routing but
-imposes no minimal requirements on cover traffic. It is possible
+The metric used is based on the amount of cover traffic needed to hide
+the request.
+
+While there is no clear way to relate the amount of available cover
+traffic to traditional scientific metrics such as the anonymity set or
+information leakage, it is probably the best metric available to a
+peer with a purely local view of the world, in that it does not rely
+on unreliable external information or a particular adversary model.
+
+The default anonymity level is @code{1}, which uses anonymous routing
+but imposes no minimal requirements on cover traffic. It is possible
 to forego anonymity when this is not required. The anonymity level of
 @code{0} allows GNUnet to use more efficient, non-anonymous routing.
 
@@ -192,7 +196,7 @@ In particular, we assume that the adversary can see all the traffic on
 the Internet. And while we assume that the adversary
 can not break our encryption, we assume that the adversary has many
 participating nodes in the network and that it can thus see many of the
-node-to-node interactions since it controls some of the nodes. 
+node-to-node interactions since it controls some of the nodes.
 
 The system tries to achieve anonymity based on the idea that users can be
 anonymous if they can hide their actions in the traffic created by other
@@ -235,7 +239,7 @@ Even if the user that downloads data and the server that provides data are
 anonymous, the intermediaries may still be targets. In particular, if the
 intermediaries can find out which queries or which content they are
 processing, a strong adversary could try to force them to censor
-certain materials. 
+certain materials.
 
 With the file-encoding used by GNUnet's anonymous file-sharing, this
 problem does not arise.
diff --git a/doc/handbook/chapters/user.texi b/doc/handbook/chapters/user.texi
index 37c5849ab..55518bc34 100644
--- a/doc/handbook/chapters/user.texi
+++ b/doc/handbook/chapters/user.texi
@@ -1054,8 +1054,17 @@ anonymity level of "1" means that anonymous routing is desired, but no
 particular amount of cover traffic is necessary. A powerful adversary
 might thus still be able to deduce the origin of the traffic using
 traffic analysis. Specifying higher anonymity levels increases the
-amount of cover traffic required. While this offers better privacy,
-it can also significantly hurt performance.
+amount of cover traffic required.
+
+The specific numeric value (for anonymity levels above 1) is simple:
+Given an anonymity level L (above 1), each request FS makes on your
+behalf must be hidden in L-1 equivalent requests of cover traffic
+(traffic your peer routes for others) in the same time-period.  The
+time-period is twice the average delay by which GNUnet artificially
+delays traffic.
+
+While higher anonymity levels may offer better privacy, they can also
+significantly hurt performance.
 
 @node Content Priority
 @subsubsection Content Priority
@@ -2324,6 +2333,3 @@ service offered by that peer, you can create an IP tunnel to
 that peer by specifying the peer's identity, service name and
 protocol (--tcp or --udp) and you will again receive an IP address
 that will terminate at the respective peer's service.
-
-
-
diff --git a/doc/man/gnunet-auto-share.1 b/doc/man/gnunet-auto-share.1
index 19cb998fa..e68ecdc08 100644
--- a/doc/man/gnunet-auto-share.1
+++ b/doc/man/gnunet-auto-share.1
@@ -28,24 +28,25 @@ You can run the tool by hand or automatically by adding the respective options t
 gnunet-auto-share has many options in common with gnunet-publish, but can only be used to index files.
 .Pp
 You can use automatic meta-data extraction (based on libextractor).
+.Sh OPTIONS
 .Bl -tag -width Ds
 .It Fl a Ar LEVEL | Fl \-anonymity= Ns Ar LEVEL
-This option can be used to specify additional anonymity constraints.
+This option can be used to specify additional anonymity constraints. The default is 1.
 If set to 0, GNUnet will publish the file non-anonymously and in fact sign the advertisement for the file using your peer's private key.
-This will allow other users to download the file as fast as possible, including using non-anonymous methods (DHT, direct transfer).
+This will allow other users to download the file as fast as possible, including using non-anonymous methods (discovery via DHT and CADET transfer).
 If you set it to 1 (default), you use the standard anonymous routing algorithm (which does not explicitly leak your identity).
-However, a powerful adversary may still be able to perform traffic analysis (statistics) to over time infer data about your identity.
-You can gain better privacy by specifying a higher level of anonymity, which increases the amount of cover traffic your own traffic will get, at the expense of performance.
-Note that regardless of the anonymity level you choose, peers that cache content in the network always use anonymity level 1.
-.Pp
-The definition of the ANONYMITY LEVEL is the following.
-0 means no anonymity is required.
-Otherwise a value of 'v' means that 1 out of v bytes of "anonymous" traffic can be from the local user, leaving 'v-1' bytes of cover traffic per byte on the wire.
-Thus, if GNUnet routes n bytes of messages from foreign peers (using anonymous routing), it may originate n/(v-1) bytes of data in the same time-period.
-The time-period is twice the average delay that GNUnet defers forwarded queries.
-.Pp
-The default is 1 and this should be fine for most users.
-Also notice that if you choose very large values, you may end up having no throughput at all, especially if many of your fellow GNUnet-peers all do the same.
+However, a powerful adversary may still be able to perform traffic analysis (statistics) to over time discovery your identity.
+You can gain better privacy by specifying a higher level of anonymity (using values above 1).
+This tells FS that it must hide your own requests in equivalent\-looking cover traffic.
+This should confound an adversaries traffic analysis, increasing the time and effort it would
+take to discover your identity. However, it also can significantly reduce performance, as
+your requests will be delayed until sufficient cover traffic is available.  The specific
+numeric value (for anonymity levels above 1) is simple:
+Given an anonymity level L (above 1), each request FS makes on your behalf must be hidden in L\-1 equivalent
+requests of cover traffic (traffic your peer routes for others) in the same time\-period.
+The time\-period is twice the average delay by which GNUnet artificially delays traffic.
+Note that regardless of the anonymity level you choose, peers that cache content in the
+network always use anonymity level 1.
 .It Fl c Ar FILENAME | Fl \-config= Ns Ar FILENAME
 Use alternate config file (if this option is not specified, the default is
 .Pa ~/.config/gnunet.conf Ns ).
diff --git a/doc/man/gnunet-download.1 b/doc/man/gnunet-download.1
index e2c4ab365..f278694c3 100644
--- a/doc/man/gnunet-download.1
+++ b/doc/man/gnunet-download.1
@@ -24,8 +24,22 @@ a command line interface for downloading files from GNUnet
 Download files from GNUnet.
 .Bl -tag -width Ds
 .It Fl a Ar LEVEL | Fl \-anonymity= Ns Ar LEVEL
-Set desired level of receiver anonymity.
-Default is 1.
+This option can be used to specify additional anonymity constraints. The default is 1.
+If set to 0, GNUnet will publish the file non-anonymously and in fact sign the advertisement for the file using your peer's private key.
+This will allow other users to download the file as fast as possible, including using non-anonymous methods (discovery via DHT and CADET transfer).
+If you set it to 1 (default), you use the standard anonymous routing algorithm (which does not explicitly leak your identity).
+However, a powerful adversary may still be able to perform traffic analysis (statistics) to over time discovery your identity.
+You can gain better privacy by specifying a higher level of anonymity (using values above 1).
+This tells FS that it must hide your own requests in equivalent\-looking cover traffic.
+This should confound an adversaries traffic analysis, increasing the time and effort it would
+take to discover your identity. However, it also can significantly reduce performance, as
+your requests will be delayed until sufficient cover traffic is available.  The specific
+numeric value (for anonymity levels above 1) is simple:
+Given an anonymity level L (above 1), each request FS makes on your behalf must be hidden in L-1 equivalent
+requests of cover traffic (traffic your peer routes for others) in the same time\-period.
+The time\-period is twice the average delay by which GNUnet artificially delays traffic.
+Note that regardless of the anonymity level you choose, peers that cache content in the
+network always use anonymity level 1.
 .It Fl c Ar FILENAME | Fl \-config= Ns Ar FILENAME
 Use config file (default:
 .Pa ~/.config/gnunet.conf Ns )
@@ -88,31 +102,6 @@ If you ever have to abort a download, you can at any time continue it by re-issu
 In that case GNUnet will not download blocks again that are already present.
 GNUnet's file-encoding will ensure file integrity, even if the existing file was not downloaded from GNUnet in the first place.
 Temporary information will be appended to the target file until the download is completed.
-.Ss SETTING ANONYMITY LEVEL
-The
-.Fl a
-option can be used to specify additional anonymity constraints.
-If set to 0, GNUnet will try to download the file as fast as possible, including using non-anonymous methods.
-If you set it to 1 (default), you use the standard anonymous routing algorithm (which does not explicitly leak your identity).
-However, a powerful adversary may still be able to perform traffic analysis (statistics) to over time infer data about your identity.
-You can gain better privacy by specifying a higher level of anonymity, which increases the amount of cover traffic your own traffic will get, at the expense of performance.
-Note that your download performance is not only determined by your own anonymity level, but also by the anonymity level of the peers publishing the file.
-So even if you download with anonymity level 0, the peers publishing the data might be sharing with a higher anonymity level, which in this case will determine performance.
-Also, peers that cache content in the network always use anonymity level 1.
-.Pp
-This option can be used to limit requests further than that.
-In particular, you can require GNUnet to receive certain amounts of traffic from other peers before sending your queries.
-This way, you can gain very high levels of anonymity - at the expense of much more traffic and much higher latency.
-So set it only if you really believe you need it.
-.Pp
-The definition of ANONYMITY\-RECEIVE is the following.
-0 means no anonymity is required.
-Otherwise a value of 'v' means that 1 out of v bytes of "anonymous" traffic can be from the local user, leaving 'v-1' bytes of cover traffic per byte on the wire.
-Thus, if GNUnet routes n bytes of messages from foreign peers (using anonymous routing), it may originate n/(v-1) bytes of queries in the same time\-period.
-The time\-period is twice the average delay that GNUnet defers forwarded queries.
-.Pp
-The default is 1 and this should be fine for most users.
-Also notice that if you choose very large values, you may end up having no throughput at all, especially if many of your fellow GNUnet\-peers all do the same.
 .Sh FILES
 .Pa ~/.config/gnunet.conf
 GNUnet configuration file
diff --git a/doc/man/gnunet-publish.1 b/doc/man/gnunet-publish.1
index 0cfad4c78..b003f27e0 100644
--- a/doc/man/gnunet-publish.1
+++ b/doc/man/gnunet-publish.1
@@ -125,7 +125,25 @@ However, indexing only works if the indexed file can be read (using the same abs
 If this is not the case, indexing will fail (and gnunet-publish will automatically revert to publishing instead).
 Regardless of which method is used to publish the file, the file will be slowly (depending on how often it is requested and on how much bandwidth is available) dispersed into the network.
 If you publish or index a file and then leave the network, it will almost always NOT be available anymore.
+.Sh OPTIONS
 .Bl -tag -width Ds
+.It Fl a Ar LEVEL | Fl \-anonymity= Ns Ar LEVEL
+This option can be used to specify additional anonymity constraints. The default is 1.
+If set to 0, GNUnet will publish the file non-anonymously and in fact sign the advertisement for the file using your peer's private key.
+This will allow other users to download the file as fast as possible, including using non-anonymous methods (discovery via DHT and CADET transfer).
+If you set it to 1 (default), you use the standard anonymous routing algorithm (which does not explicitly leak your identity).
+However, a powerful adversary may still be able to perform traffic analysis (statistics) to over time discovery your identity.
+You can gain better privacy by specifying a higher level of anonymity (using values above 1).
+This tells FS that it must hide your own requests in equivalent\-looking cover traffic.
+This should confound an adversaries traffic analysis, increasing the time and effort it would
+take to discover your identity. However, it also can significantly reduce performance, as
+your requests will be delayed until sufficient cover traffic is available.  The specific
+numeric value (for anonymity levels above 1) is simple:
+Given an anonymity level L (above 1), each request FS makes on your behalf must be hidden in L\-1 equivalent
+requests of cover traffic (traffic your peer routes for others) in the same time\-period.
+The time\-period is twice the average delay by which GNUnet artificially delays traffic.
+Note that regardless of the anonymity level you choose, peers that cache content in the
+network always use anonymity level 1.
 .It Fl c Ar FILENAME | Fl \-config= Ns Ar FILENAME
 Use alternate config file FILENAME.
 If this option is not specified, the default is
@@ -192,27 +210,6 @@ Print the version number.
 Be verbose.
 Using this option causes gnunet\-publish to print progress information and at the end the file identification that can be used to download the file from GNUnet.
 .El
-.Ss SETTING ANONYMITY LEVEL
-.Bl -tag -width Ds
-.It Fl a Ar LEVEL | Fl \-anonymity= Ns Ar LEVEL
-.El
-.sp
-The \fB\-a\fR option can be used to specify additional anonymity constraints.
-If set to 0, GNUnet will publish the file non-anonymously and in fact sign the advertisement for the file using your peer's private key.
-This will allow other users to download the file as fast as possible, including using non-anonymous methods (DHT, direct transfer).
-If you set it to 1 (default), you use the standard anonymous routing algorithm (which does not explicitly leak your identity).
-However, a powerful adversary may still be able to perform traffic analysis (statistics) to over time infer data about your identity.
-You can gain better privacy by specifying a higher level of anonymity, which increases the amount of cover traffic your own traffic will get, at the expense of performance.
-Note that regardless of the anonymity level you choose, peers that cache content in the network always use anonymity level 1.
-.Pp
-The definition of the ANONYMITY LEVEL is the following.
-0 means no anonymity is required.
-Otherwise a value of 'v' means that 1 out of v bytes of "anonymous" traffic can be from the local user, leaving 'v-1' bytes of cover traffic per byte on the wire.
-Thus, if GNUnet routes n bytes of messages from foreign peers (using anonymous routing), it may originate n/(v-1) bytes of data in the same time\-period.
-The time\-period is twice the average delay that GNUnet defers forwarded queries.
-.Pp
-The default is 1 and this should be fine for most users.
-Also notice that if you choose very large values, you may end up having no throughput at all, especially if many of your fellow GNUnet\-peers all do the same.
 .Sh EXAMPLES
 .Ss BASIC EXAMPLES
 Index a file COPYING:
diff --git a/doc/man/gnunet-search.1 b/doc/man/gnunet-search.1
index d4ad4b516..58e16ea7b 100644
--- a/doc/man/gnunet-search.1
+++ b/doc/man/gnunet-search.1
@@ -24,30 +24,25 @@ Search for content on GNUnet.
 The keywords are case-sensitive.
 .Nm
 can be used both for a search in the global namespace as well as for searching a private subspace.
+.Sh OPTIONS
 .Bl -tag -width Ds
 .It Fl a Ar LEVEL | Fl \-anonymity= Ns Ar LEVEL
-The \fB\-a\fR option can be used to specify additional anonymity constraints.
-If set to 0, GNUnet will try to download the file as fast as possible, including using non-anonymous methods.
+This option can be used to specify additional anonymity constraints. The default is 1.
+If set to 0, GNUnet will publish the file non-anonymously and in fact sign the advertisement for the file using your peer's private key.
+This will allow other users to download the file as fast as possible, including using non-anonymous methods (discovery via DHT and CADET transfer).
 If you set it to 1 (default), you use the standard anonymous routing algorithm (which does not explicitly leak your identity).
-However, a powerful adversary may still be able to perform traffic analysis (statistics) to over time infer data about your identity.
-You can gain better privacy by specifying a higher level of anonymity, which increases the amount of cover traffic your own traffic will get, at the expense of performance.
-Note that your download performance is not only determined by your own anonymity level, but also by the anonymity level of the peers publishing the file.
-So even if you download with anonymity level 0, the peers publishing the data might be sharing with a higher anonymity level, which in this case will determine performance.
-Also, peers that cache content in the network always use anonymity level 1.
-.sp
-This option can be used to limit requests further than that.
-In particular, you can require GNUnet to receive certain amounts of traffic from other peers before sending your queries.
-This way, you can gain very high levels of anonymity \- at the expense of much more traffic and much higher latency.
-So set it only if you really believe you need it.
-.sp
-The definition of ANONYMITY\-RECEIVE is the following.
-0 means no anonymity is required.
-Otherwise a value of 'v' means that 1 out of v bytes of "anonymous" traffic can be from the local user, leaving 'v-1' bytes of cover traffic per byte on the wire.
-Thus, if GNUnet routes n bytes of messages from foreign peers (using anonymous routing), it may originate n/(v-1) bytes of queries in the same time\-period.
-The time\-period is twice the average delay that GNUnet defers forwarded queries.
-.sp
-The default is 1 and this should be fine for most users.
-Also notice that if you choose very large values, you may end up having no throughput at all, especially if many of your fellow GNUnet\-peers all do the same.
+However, a powerful adversary may still be able to perform traffic analysis (statistics) to over time discovery your identity.
+You can gain better privacy by specifying a higher level of anonymity (using values above 1).
+This tells FS that it must hide your own requests in equivalent\-looking cover traffic.
+This should confound an adversaries traffic analysis, increasing the time and effort it would
+take to discover your identity. However, it also can significantly reduce performance, as
+your requests will be delayed until sufficient cover traffic is available.  The specific
+numeric value (for anonymity levels above 1) is simple:
+Given an anonymity level L (above 1), each request FS makes on your behalf must be hidden in L\-1 equivalent
+requests of cover traffic (traffic your peer routes for others) in the same time\-period.
+The time\-period is twice the average delay by which GNUnet artificially delays traffic.
+Note that regardless of the anonymity level you choose, peers that cache content in the
+network always use anonymity level 1.
 .It Fl c Ar FILENAME | Fl \-config= Ns Ar FILENAME
 use config file (defaults: ~/.config/gnunet.conf)
 .It Fl h | \-help