tor/doc/incentives.txt

250 lines
12 KiB
Plaintext
Raw Normal View History

Tor Incentives Design Brainstorms
1. Goals: what do we want to achieve with an incentive scheme?
1.1. Encourage users to provide good relay service (throughput, latency).
1.2. Encourage users to allow traffic to exit the Tor network from
their node.
2. Approaches to learning who should get priority.
2.1. "Hard" or quantitative reputation tracking.
In this design, we track the number of bytes and throughput in and
out of nodes we interact with. When a node asks to send or receive
bytes, we provide service proportional to our current record of the
node's value. One approach is to let each circuit be either a normal
circuit or a premium circuit, and nodes can "spend" their value by
sending and receiving bytes on premium circuits: see section 4.1 for
details of this design. Another approach (section 4.2) would treat
all traffic from the node with the same priority class, and so nodes
that provide resources will get and provide better service on average.
2.2. "Soft" or qualitative reputation tracking.
Rather than accounting for every byte (if I owe you a byte, I don't
owe it anymore once you've spent it), instead I keep a general opinion
about each server: my opinion increases when they do good work for me,
and it decays with time, but it does not decrease as they send traffic.
Therefore we reward servers who provide value to the system without
nickle and diming them at each step. We also let them benefit from
relaying traffic for others without having to "reserve" some of the
payment for their own use. See section 4.3 for a possible design.
2.3. Centralized opinions from the reputation servers.
The above approaches are complex and we don't have all the answers
for them yet. A simpler approach is just to let some central set
of trusted servers (say, the Tor directory servers) measure whether
people are contributing to the network, and provide a signal about
which servers should be rewarded. They can even do the measurements
via Tor so servers can't easily perform only when they're being
tested. See section 4.4.
2.4. Reputation servers that aggregate opinions.
The option above has the directory servers doing all of the
measurements. This doesn't scale. We can set it up so we have "deputy
testers" -- trusted other nodes that do performance testing and report
their results. If we want to be really adventurous, we could even
accept claims from every Tor user and build a complex weighting /
reputation system to decide which claims are "probably" right.
3. Related issues we need to keep in mind.
3.1. Relay and exit needs to be easy and usable.
Implicit in all of the above designs is the need to make it easy to
run a Tor server out of the box. We need to make it stable on all
common platforms (including XP), it needs to detect its available
bandwidth and not overreach that, and it needs to help the operator
through opening up ports on his firewall. Then we need a slick GUI
that lets people click a button or two rather than editing text files.
Once we've done all this, we'll need to face the big question: is
most of the barrier to growth caused by the unusability of the current
software? If so, are the rest of these incentive schemes superfluous?
3.2. The network effect: how many nodes will you interact with?
One of the concerns with pairwise reputation systems is that as the
network gets thousands of servers, the chance that you're going to
interact with a given server decreases. So if in 90% of interactions
you're acting for the first time, the "local" incentive schemes above
are going to degrade. This doesn't mean they're pointless -- it just
means we need to be aware that this is a limitation, and plan in the
background for what step to take next.
3.3. Guard nodes
As of Tor 0.1.1.11, Tor users pick from a small set of semi-permanent
"guard nodes" for their first hop of each circuit. This seems to have
a big impact on pairwise reputation systems since you will only be
cashing in on your reputation to a few people, and it is unlikely
that a given pair of nodes will both use the other as guard nodes.
What does this imply? For one, it means that we don't care at all
about the opinions of most of the servers out there -- we should
focus on keeping our guard nodes happy with us.
One conclusion from that is that our design needs to judge performance
not just through direct interaction (beginning of the circuit) but
also through indirect interaction (middle of the circuit). That way
you can never be sure when your guards are measuring you.
3.4. Restricted topology: benefits and roadmap.
As the Tor network continues to grow, we will need to make design
changes to the network topology so that each node does not need
to maintain connections to an unbounded number of other nodes. For
anonymity's sake, we're going to partition the network such that all
the nodes have the same belief about the divisions and each node is
in only one partition. (The alternative is that every user fetches
his own random subset of the overall node list -- this is bad because
of intersection attacks.)
Therefore the "network horizon" for each user will stay bounded,
which helps against the above issues in 3.2 and 3.3.
It could be that the core of long-lived servers will all get to know
each other, and so the critical point that decides whether you get
good service is whether the core likes you. Or perhaps it will turn
out to work some other way.
A special case here is the social network, where the network isn't
partitioned randomly but instead based on some external properties.
More on this later.
3.5. Profit-maximizing vs. Altruism.
There are some interesting game theory questions here.
First, in a volunteer culture, success is measured in public utility
or in public esteem. If we add a reward mechanism, there's a risk that
reward-maximizing behavior will surpass utility- or esteem-maximizing
behavior.
Specifically, if most of our servers right now are relaying traffic
for the good of the community, we may actually *lose* those volunteers
if we turn the act of relaying traffic into a selfish act.
I am not too worried about this issue for now, since we're aiming
for an incentive scheme so effective that it produces thousands of
new servers.
3.6. What part of the node's performance do you measure?
We keep referring to having a node measure how well the other nodes
receive bytes. But many transactions in Tor involve fetching lots of
bytes and not sending very many. So it seems that we want to turn
things around: we need to measure how quickly a node can _send_
us bytes, and then only send it bytes in proportion to that.
There's an obvious attack though: a sneaky user could simply connect
to a node and send some traffic through it. Voila, he has performed
for the network. This is no good. The first fix is that we only count
if you're sending bytes "backwards" in the circuit. Now the sneaky
user needs to construct a circuit such that his node appears later
in the circuit, and then send some bytes back quickly.
Maybe that complexity is sufficient to deter most lazy users. Or
maybe it's an argument in favor of a more penny-counting reputation
approach.
3.7. What is the appropriate resource balance for servers vs. clients?
If we build a good incentive system, we'll still need to tune it
to provide the right bandwidth allocation -- if we reserve too much
bandwidth for fast servers, then we're wasting some potential, but we
if we reserve too little, then fewer people will opt to become servers.
How do we find the right balance?
One answer is that it doesn't have to be perfect: we can err on the
side of providing extra resources to servers, then we will achieve our
desired goal: when people complain about speed, we can tell them to
run a server, and they will in fact get better performance. In fact,
finding an optimum balance is especially hard because it's a moving
target: the better our incentive mechanism (and the lower the barrier
to setup), the more servers there will be.
3.8. Anonymity attack: fast connections probably come from good servers.
3.9. How do we allocate bandwidth over the course of a second?
4. Sample designs.
4.1. Two classes of service for circuits.
4.2. Treat all the traffic from the node with the same service;
hard reputation system.
4.3. Treat all the traffic from the node with the same service;
soft reputation system.
Rather than a guaranteed system with accounting (as 4.1 and 4.2),
we instead try for a best-effort system. All bytes are in the same
class of service. You keep track of other Tors by key, and give them
service proportional to the service they have given you. That is, in
the past when you have tried to push bytes through them, you track the
number of bytes and the average bandwidth, and use that to weight the
priority of their connections if they try to push bytes through you.
Now you're going to get minimum service if you don't ever push bytes
for other people, and you get increasingly improved service the more
active you are. We should have memories fade over time (we'll have
to tune that, which could be quite hard).
Pro: Sybil attacks are pointless because new identities get lowest
priority.
Pro: Smoothly handles periods of both low and high network load. Rather
than keeping track of the ratio/difference between what he's done for
you and what you've done for him, simply keep track of what he's done
for you, and give him priority based on that.
Based on 3.3 above, it seems we should reward all the nodes in our
path, not just the first one -- otherwise the node can provide good
service only to its guards. On the other hand, there might be a
second-order effect where you want nodes to like you so that *when*
your guards choose you for a circuit, they'll be able to get good
performance. This tradeoff needs more simulation/analysis.
This approach focuses on incenting people to relay traffic, but it
doesn't do much for incenting them to allow exits. It may help in
one way through: if there are few exits, then they will attract a
lot of use, so lots of people will like them, so when they try to
use the network they will find their first hop to be particularly
pleasant. After that they're like the rest of the world though.
Pro: this is a pretty easy design to add; and it can be phased in
incrementally simply by having new nodes behave differently.
4.4. Centralized opinions from the reputation servers.
Have a set of official measurers who spot-check servers from the
directory to see if they really do offer roughly the bandwidth
they advertise. Include these observations in the directory. (For
simplicity, the directory servers could be the measurers.) Then Tor
servers weight priority for other servers depending on advertised
bandwidth, giving particularly low priority to connections not
listed or that failed their spot-checks. The spot-checking can be
done anonymously, because hey, we have an anonymity network.
We could also reward exit nodes by giving them better priority, but
like above this only will affect their first hop. Another problem
is that it's darn hard to spot-check whether a server allows exits
to all the pieces of the Internet that it claims to. A last problem
is that since directory servers will be doing their tests directly
(easy to detect) or indirectly (through other Tor servers), then
we know that we can get away with poor performance for people that
aren't listed in the directory.
5. Recommendations and next steps.