\documentstyle[twoside, fancyheadings, doublespace, fullpage, epsf]{article}
\setstretch{1.5}
\textheight 8.8 in
\lhead{ David Molnar ({\it dmolnar@hcs.harvard.edu})}
\rhead{Free Haven Project: Notes Towards A Simulation Model \\
\today}
\begin{document}
\pagestyle{fancy}
\pagenumbering{arabic}
\section{Introduction; What This Is}
The Free Haven protocol uses parameters which are specified by
individual servers and publishers. For example, the size and expiration
date of shares is set at creation time as the publisher wishes. We
currently have no idea what the best parameters are. One way to find out
is to create a model of our system, and then use simulations or analysis
to determine good parameters.
This is the first stab at such a model.
\section{General Model}
This section tries to outline the most general model possible. The next
section will consider simplifications necessary for a first round
simulation and analysis.
The servnet is considered as a directed graph. Each node in the graph
represents a server. Each edge represents a means which the origin has of
communicating with the terminal. For the purposes of this model, these
edges are assumed to be anonymous channels.
\it{picture of graph goes here}
Because every node is assumed to know about every other node, we have a
fully connected graph. Now we can define some terms for talking about how
the Free Haven protocol works on this graph.
\subsection{Data and Terms}
We have defined the graph $G = (N, E)$ with $N$ the set of servnet nodes
and $E$ the set of anonymous channels.
There is a notion of time divided into discrete \emph{steps.} Time starts
at step 0 and is then unbounded.
Free Haven is a system for storing \emph{files}. Files are defined as sets
of \emph{shares}. A share is a unit of data; shares may have a certain
\emph{size} and an \emph{expiration date.}
Each node $X$ has the following state associate with it :
\begin{description}
\item[share store:] Each node has a ``share store" which represents
the shares currently held by that node, and the node's
holding capacity.
\item[trust function] Each node has a function $\phi_X : N \rightarrow
[0,1]$ which maps nodes to a real ``trust value" between 0 and 1. The
value 1 represents fully trusted. The value 0 represents not trusted at
all.
\item[metatrust function] Each node has a function $\psi_X : N \rightarrow
[0, 1]$ which maps nodes to a real ``meta-trust value" between 0 and 1.
The value 0 means that the node has no confidence in its value of
$\phi_X(n)$ for a particular $n \in N$; the value 1 means that the node
has complete confidence in its value of $\phi_X(n)$.
\item[trade probability function] Each node has a function which models
the ``decision" to trade on each step and returns a probability betwen 0
and 1. Not yet clear what this should depend on. Certainly the timestep,
but also the values of the share store, trust functions, and meta-trust
functions? (e.g. "Trade only if about to expire share and median trust is
above some threshold with high confidence").
\end{description}
\subsection{Step Update}
We now describe how the system evolves from step to step.
NOTE : this needs work to fit with the general framework established in
the previous subsection...
At each step, each node N does the following :
\begin{itemize}
\item
1) N decides with probability p1 "Do I want to trade?"
If N does not want to trade, continue.
\item
2) If N wants to trade,
then
\begin{itemize}
\item
2.1) N selects uniformly at random from the set of all
other
servnet nodes a destination D
\item
2.2) N selects uniformly at random from the set of all its
shares a share S1
\item
2.3) D selects uniformly at random from the set of all its
shares a share S2
NOTE 1 : What if either N or D have no shares?? My
inclination is to just trade for a "null share." It
doesn't make sense to forbid trades, or else trading
is quickly restricted to a very small set of nodes.
What do we do in the real protocol, again?
\item
2.4) The nodes N and D exchange their shares S1 and S2
\end{itemize}
\item
3) If D is an adversary node, then it destroys S1. If D is not
an adversary node, then it keeps S1.
NOTE 2 : What should an adversary node trade out??
In the model as just described, it never has any shares
to trade (by definition!). Should it always trade out
null shares, or should it make up special
marked "adversary shares" so we can see how far they
propagate through the network?
\item
4) Continue.
\end{itemize}
\section{Metrics}
This section discusses metrics of ``goodness" for the preceding model,
such as ``how many nodes must be corrupted before a file is lost."
\section{First Round Simulation and Analysis : Simplified Model}
This needs work to make each of these assumptions precise/mathematical in
terms of the first section.
\begin{itemize}
\item
Each node has zero or more shares. No shares are created during the
simulation.
\item The initial placement of shares is arbitrary (set by the user of the
sim). Maybe it's confined to a bunch of start nodes.
\item Some arbitrary percentage P of the nodes are controlled by an
adversary.
\item
This percentage is fixed at network construction time. That is, we have
a static adversary.
\item
The adversary's only behavior is to drop packets on the floor, always.
The adversary does *not* decide whether or not to drop something - it
just drops all incoming packets.
\item
All nodes trust all other nodes completely and forever. That is, we
don't model the effect of the trust network in the first version.
Note that this means we will get wildly different answers for constants
and robustness in the first version than we will in the final one.
This will allow us to quantitatively estimate the importance of the
trust network.
\item
All files use the same number of shares. All files use a n/2 threshold.
(i.e. 15 out of 30 required to reconstruct). * All shares are the same
size.
\item
Nodes have unlimited storage space for shares.
\item
No shares ever expire during the time of the simulation.
\item
Nodes will trade for anything.
\item
All trades are always successful.
\end{itemize}
\section{Mathematical Techniques and Related Work}
This section discusses mathematical techniques for analysing this model,
and related work on similar models.
\end{document}