Add section quantifying distributed trust

chapters/01_introduction.tex

@@ -30,7 +30,7 @@ The publication can be implemented in many different ways, which we will take a
 For now, the reader may imagine that the TSA publishes its time-stamps in a newspaper.
 The time-stamping company \emph{Surety} actually employed this method of publication in practice. (Citation needed)
 
-Witnesses keep records of the time-stamps issued by the TSA.
+Witnesses keep a record of the time-stamps issued by the TSA.
 They do not accept time-stamps issued too far in the past.
 Staying with the example of time-stamps published in a newspaper, the newspaper archives of public libraries can act as witnesses.
 To prevent backdating attacks, a library only archives a newspaper which it receives on the printed date of publication.
@@ -44,3 +44,69 @@ Instead, it would require the active cooperation of a sufficiently large number
 The client's trust is thus \emph{distributed} over the TSA, the publication process and the witnesses.
 
 \subsubsection{Quantifying distributed trust}
+
+Let us now introduce a mathematical model for the publication scheme outlined in the previous section.
+Say the TSA publishes its time-stamps to $N$ witnesses.
+It should be emphasized that a witness is required to keep a record of time-stamps.
+Going back to our example of time-stamps published in a newspaper, $N$ does \emph{not} correspond to the number of copies printed.
+Instead, $N$ refers to the number of places that keep archives of the newspaper.
+
+We assume that there exist a number $E$ of malicious witnesses that collude together with the TSA in an attempt to backdate time-stamps.
+
+Finally, a client consults a number $n$ of witnesses to verify a time-stamp.
+The client only accepts the time-stamp if all $n$ selected witnesses confirm its existence at the given time.
+
+Let $e$ be the number of maliciously colluding witnesses selected by the client.
+Evidently, a successful backdating attack occurs when the client selects only colluding witnesses, so when $e=n$.
+
+Let us now further assume that the client selects its $n$ witnesses from the total number of witnesses $N$ completely at random.
+Our problem is now equivalent to the urn problem when ``drawing without replacement''.
+$e$ thus follows the hypergeometric distribution. (cite Forbes2010Statistical pp. 117-119)
+
+\begin{equation}
+  \left. P(e=k)=\binom{E}{k}\binom{N-E}{n-k} \middle/ \binom{N}{n}\right.
+\end{equation}
+
+The probability of a successful backdating attack is then given by the equation:
+
+\begin{equation}
+  \left. P(e=n)=\binom{E}{n} \middle/ \binom{N}{n}\right.
+\end{equation}
+
+In practice, the selection of witnesses may not be truly random.
+Sticking to our example of newspaper archives, a client will likely prefer libraries which are geographically close to them.
+A network protocol for distributed trust may also favor witnesses with small round-trip times in order to increase performance.
+
+An attacker may be able to leverage this by placing colluding witnesses at favorable locations.
+We can model this by introducing a weight parameter $\omega$, where a malicious witness is $\omega$ times more likely to be selected than an honest witness.
+$e$ then follows Fisher's noncentral hypergeomtric distribution. (cite Fog2008Sampling)
+
+\begin{align}
+  e_{\mathrm{min}}&=\max(0, n+E-N)\\
+  e_{\mathrm{max}}&=\min(n, E)\\
+  P(e=k)&=\left. \binom{E}{k}\binom{N-E}{n-k}\omega^k \middle/ \sum_{k'=e_{\mathrm{min}}}^{e_{\mathrm{max}}} \binom{E}{k'}\binom{N-E}{n-k'}\omega^{k'} \right.
+\end{align}
+
+With the probability of a successful backdating attack being:
+
+\begin{equation}
+  P(e=n)=\left. \binom{E}{n}\omega^n \middle/ \sum_{k'=e_{\mathrm{min}}}^{e_{\mathrm{max}}} \binom{E}{k'}\binom{N-E}{n-k'}\omega^{k'} \right.
+\end{equation}
+
+Note that these equations are equivalent to the hypergeomtric distribution when $\omega=1$.
+This is the optimal case, limiting the probability of a successful backdating attack as much as possible.
+
+$\omega$ approaches infinity if the attacker can ensure that the client will only select malicious witnesses.
+In this case, the probability of a successful backdating attack approaches 1.
+
+\begin{equation}
+  \lim_{\omega\rightarrow \infty} P(e=n)=1
+\end{equation}
+
+This is, of course, the worst possible case for security.
+
+TODO: Add lots of graphs for the probability distributions in this section.
+
+TODO: The other side of trust is that Alice needs to trust service availability.
+Can be solved by employing multiple TSAs.
+Quickly explain this.

main.tex

@@ -27,6 +27,7 @@
 % UTILITY PACKAGES
 \usepackage{cite}
 \usepackage{comment} % enables block comments via \begin{comment} ... \end{comment} environment
+\usepackage{amsmath} % for all the good maths stuff like the align environment
 \usepackage{amsthm} % for definitions, lemmas, etc. - also for defining your own stuff, eg below:
     %\theoremstyle{definition}  % defines a new theorem called definition
     %\newtheorem{definition}{Definition}[section]   % definition setup and call